Question How is a message's protocol determined in wireshark?


Apr 2, 2008
I am new to wireshark. I started watching one training video but it was long and I am looking for specific answers to questions to help in my coding job.

How is a message packet's protocol determined in wireshark? I have a .pcapng file I have been looking at and at first it seemed that the first three hex digits were the determining factor because they seemed to be unique to a protocol. But this is not the case. Instead they seem to be part of the destnation address.

Thanks in advance.

Also, just to be sure: the hexidesimal representation in the third frame window represents the whole package without anything added or taken away, right? Is this a correct assumption?

the protocols that I am interested in are:

I found some documentation online at documentation dot help:

1.1.6. Many protocol decoders
There are protocol decoders (or dissectors, as they are known in Wireshark) for a great many protocols: see Appendix B, Protocols and Protocol Fields.
Appendix B. Protocols and Protocol Fields
Wireshark distinguishes between protocols (e.g. tcp) and protocol fields (e.g. tcp.port).
A comprehensive list of all protocols and protocol fields can be found at:
And there are lots of protocols listen here

For HTTP and HTTP/JSON the data stream I have from my .pcapng file contains a data backet which starts with a Destination address followed by a Source addrss and then there is something I find interesting. It is:

Type: IPv4 (0x0800)

And that is the same for HTTP as well as HTTP/JSON

So how do I determine the difference from tha packet data.

On the same location, we have (0x0806) for ARP
On the same location, we have (0x0800) for MDNS -- which is the same for HTTP, so this is not the answer
On the same location, we have (0x0800) for NDNS -- which is the same for HTTP, so this is not the answer
On the same location, we have (0x0800) for TCP -- which is the same for HTTP, so this is not the answer

wireshark is open source. So my only other option it seems apart from getting an answer online is to step throught the code.


You have a lot of questions.

Almost seems like homework questions. Forum rules prohibit answering homework questions.

The solution is easy.

Provide and support what you believe to be the applicable answers to each of your questions.

Post accordingly.