F5F Stay Refreshed Software General Software How the protocol of a message is identified in Wireshark.

How the protocol of a message is identified in Wireshark.

How the protocol of a message is identified in Wireshark.

U
Ulster_Son
Member
Find
69
05-01-2023, 10:40 AM
#1
I am just beginning with wireshark. I watched a training video, but it was quite long, and I need specific answers to help with my coding job. How does the protocol of a message packet get identified in wireshark? I have a .pcapng file I’ve been examining, and at first it looked like the first three hex digits were the key factor because they seemed unique to a protocol. But that’s not true. They actually belong to the destination address. Thanks in advance. Also, just to confirm: the hexadecimal representation in the third frame window represents the entire packet without any additions or deletions, is that correct? Is this assumption accurate?

The protocols I’m focusing on are:
ARP
HTTP
HTTP/JSON
MDNS
NBNS
TCP

I found some documentation online at documentation dot help:
https://documentation.help.Wireshark/Cha...idp3107168

1.1.6. Many protocol decoders
There are decoders (or dissectors, as they’re called in Wireshark) for a wide range of protocols: see Appendix B, Protocols and Protocol Fields.

Appendix B. Protocols and Protocol Fields
Wireshark differentiates between protocols (e.g., tcp) and their fields (e.g., tcp.port).

A full list of all protocols and protocol fields can be found at:
http://www.wireshark.org/docs/dfref/

And there are many protocols listed here
For HTTP and HTTP/JSON, the data stream in my .pcapng file starts with a Destination address followed by a Source address, and then something I find interesting. It is:
Type: IPv4 (0x0800)
And that’s the same for HTTP as well as HTTP/JSON.

So how do I tell the difference from that packet data?

At the same location, we have (0x0806) for ARP
On the same location, we have (0x0800) for MDNS — which is the same as HTTP, so this isn’t the answer
On the same location, we have (0x0800) for NDNS — also the same as HTTP, so this isn’t it
On the same location, we have (0x0800) for TCP — which is the same as HTTP, so this isn’t the answer

wireshark is open source. So my only other option seems to be looking through the code.
Reply
Reply
U
Ulster_Son
05-01-2023, 10:40 AM #1

I am just beginning with wireshark. I watched a training video, but it was quite long, and I need specific answers to help with my coding job. How does the protocol of a message packet get identified in wireshark? I have a .pcapng file I’ve been examining, and at first it looked like the first three hex digits were the key factor because they seemed unique to a protocol. But that’s not true. They actually belong to the destination address. Thanks in advance. Also, just to confirm: the hexadecimal representation in the third frame window represents the entire packet without any additions or deletions, is that correct? Is this assumption accurate?

The protocols I’m focusing on are:
ARP
HTTP
HTTP/JSON
MDNS
NBNS
TCP

I found some documentation online at documentation dot help:
https://documentation.help.Wireshark/Cha...idp3107168

1.1.6. Many protocol decoders
There are decoders (or dissectors, as they’re called in Wireshark) for a wide range of protocols: see Appendix B, Protocols and Protocol Fields.

Appendix B. Protocols and Protocol Fields
Wireshark differentiates between protocols (e.g., tcp) and their fields (e.g., tcp.port).

A full list of all protocols and protocol fields can be found at:
http://www.wireshark.org/docs/dfref/

And there are many protocols listed here
For HTTP and HTTP/JSON, the data stream in my .pcapng file starts with a Destination address followed by a Source address, and then something I find interesting. It is:
Type: IPv4 (0x0800)
And that’s the same for HTTP as well as HTTP/JSON.

So how do I tell the difference from that packet data?

At the same location, we have (0x0806) for ARP
On the same location, we have (0x0800) for MDNS — which is the same as HTTP, so this isn’t the answer
On the same location, we have (0x0800) for NDNS — also the same as HTTP, so this isn’t it
On the same location, we have (0x0800) for TCP — which is the same as HTTP, so this isn’t the answer

wireshark is open source. So my only other option seems to be looking through the code.

Reply
Reply
M
Mountain_Man8
Member
Find
182
05-01-2023, 03:05 PM
#2
You seem to have many queries.
Forum guidelines forbid providing answers to homework-type questions.
The correct response is straightforward.
Give clear and relevant solutions for each of your concerns.
Reply
Reply
M
Mountain_Man8
05-01-2023, 03:05 PM #2

You seem to have many queries.
Forum guidelines forbid providing answers to homework-type questions.
The correct response is straightforward.
Give clear and relevant solutions for each of your concerns.

Reply
Reply