In addition to relying on well-known ports (or other similar fields), Wireshark has the concept of a "heuristic decoder", where it tries to guess the protocol based on the content. Look for the word "heuristic" in the Wireshark documentation and source code to see examples.
Gilbert On Mon, Mar 31, 2025 at 10:02 AM brave1094 <brave1...@korea.ac.kr> wrote: > Dear Wireshark Team, > > My name is Yoon-Seong Jang, a combined Master's and Ph.D. student at Korea > University in the Republic of Korea. > > We are currently conducting research focused on analyzing various types of > application traffic and malicious traffic, with the goal of classifying > them using deep learning techniques. > > In this process, Wireshark has been an invaluable tool and is widely used > in our research. > > The reason I am reaching out via email is to ask about how Wireshark > determines the protocol of each packet or flow when decoding a given pcap > file. > > From our observations, it seems that the protocol is often determined > based on the port number. However, we would greatly appreciate a more > objective explanation or documentation regarding the actual rules or logic > used by Wireshark for protocol decoding. > > A detailed explanation would be extremely helpful for our research. > > Thank you very much for taking the time to read this email despite your > busy schedule. > > Sincerely, > Yoon-Seong Jang > > _______________________________________________ > Wireshark-dev mailing list -- wireshark-dev@wireshark.org > To unsubscribe send an email to wireshark-dev-le...@wireshark.org >
_______________________________________________ Wireshark-dev mailing list -- wireshark-dev@wireshark.org To unsubscribe send an email to wireshark-dev-le...@wireshark.org
