Port number equals to 80 is obviously not a sufficient condition. Is it a necessary condition that Wireshark has found a request message or response message in application layer payload?
Asked
Active
Viewed 1,742 times
4
-
1Switching port number from default one for MySQL resulted into wrong protocol recognition [in this answer](https://stackoverflow.com/a/43210984/5563916), so wireshark might be simpler than you expect. – nnovich-OK Jul 25 '17 at 16:15
1 Answers
4
I'm not sure this is a full answer, but here is what I know regarding Wireshark's identification of HTTP packets (all items below are dissected as HTTP):
- TCP port 80
- TCP or UDP ports 8080, 8008, 591
- TCP traffic (on all ports) that has line end (CRLF) and the line begins or ends with the string "HTTP/1.1"
- SSDP (Simple Service Discovery Protocol) in TCP or UDP port 1900
- DAAP (Apple's Digital Audio Access Protocol) in TCP port 3689
- IPP (Internet Printing Protocol) in TCP port 631
John
- 423
- 4
- 10