how does wireshark identify DNS traffic when it also uses a Radius port in UDP port? And how can I tell?

Question

My program is doing the packet analysis. I now have a problem around DNS/Radius. DNS uses UDP port 53 Radius uses UDP port 1645/1646/1812/1813

Logic is if I see 53 then it is a DNS packet; if I see 1812... it is a Radius packets. Then problem comes, some DNS packets also use Radius ports e.g. UDP port src 53/dst 1812 or vice verse. Then my program cannot handle this.

But wireshark doesn't get confused, I am wondering how it is capable of knowing the true protocol. Does it attempt to decode the payload? and then to tell? or the underline libpcap or something has the ability to tell the true protocol type. So if I take could use code from libpcap, does libpcap provide the functionality of telling the carrying protocols?

Can anyone please help? I googled a while but got no results yet.

Thanks Kang

Answer 1

Wireshark uses various techniques to identify protocols. For DNS and RADIUS, it does it based on the port number. The code that does that looks up the numerically lower port number first and, if it doesn't find a dissector for that port number, looks up the numerically higher port number, so a packet going between ports 53 and 1812 will be identified as DNS rather than RADIUS because 53, the port for DNS, is numerically lower than 1812, the port for RADIUS.

If there happened to be RADIUS traffic between ports 1812 and 53, Wireshark would get confused.

The only way to work around that would be to have the DNS dissector try to look at the packet data and guess whether it's DNS or to have the RADIUS dissector try to look at the packet and guess whether it's RADIUS and, if it's not a packet for that dissector, return a "this isn't for me" indication so that another dissector can be tried.

There is no magic solution guaranteed to correctly identify all protocols running over TCP or UDP. There are only heuristics based on port numbers and packet contents; they may get the right answer 99 44/100% of the time, but there will still be that 56/100% of the time when that doesn't work and you'll have to intervene manually (for example, using the "Decode As..." mechanism in Wireshark, or the -d command-line equivalent in TShark).

And, no, as Steffen Ullrich indicated, libpcap doesn't do that for you; different applications using libpcap (tcpdump, Wireshark, etc.) may do it differently.

Answer 2

libpcap does not provide such functionality. One thing is that wireshark will look into the packets and detect the structure but limits what it looks for by the ports/protocols in use. The other thing is that you will usually not find a packet to a radius server originating from port 53 or a packet to DNS server from port 1812 because clients usually implicitly use an ephemeral port which is much much higher.