How to know the application layer protocol in TCP?

I watched in wireshark that there's no dedicated field to identify the application layer protocol,but how 开发者_开发问答does wireshark do that?

Wireshark (libpcap) only knows the Ips, transport protocol (UDP/TCP) and the ports. With this info it try to decode the frames with a candidate protocol "decoder". Usually it make mistakes. If you want more accurately protocol identification you have to use a deep packet inspection analyzer. more info http://en.wikipedia.org/wiki/Deep_packet_inspection

This email list entry describes a bit about wireshark heuristics.

In short wireshark uses the port/protocol number as well as magic constants when available. The heuristics can also use special properties of the payload (in HTTP one could look for the strings GET/POST/... in the beginning of some traffic). The dissectors (as they are called) can also look at other packets in the traffic which is useful when some other application hi-jacks port 80, for instance Skype does this every now and then.