Re: Request for new DLT and LINKTYPE value

[Guy Harris <guy () alum mit edu>]

On Apr 13, 2010, at 2:34 PM, Edgar, Thomas wrote:

> I am open to the possibility of going forward with that approach. Just to clarify, does this work by the user 
> preselecting the framing mechanism before the capture is started?

Yes.

> For instance, I would have to know that DNP3 is being communicated before I start the capture?

Yes.

> With the timing method I am using I was going for a method to capture anything from a COM port and then allow the 
> parsing mechanism (like the heuristic dissectors in Wireshark) to determine what protocol is actually present.  I am 
> going for a more hands off user experience than requiring them to decide beforehand which protocol to capture.  What 
> do you think?

I think heuristics are what you use when you can't use anything else; if they're too strong, they will fail to identify 
things that they should (and people will complain about it), and if they're too weak, they will identify things that 
they shouldn't (and people will complain about it).  We have had to tweak the heuristics in Wireshark dissectors and 
Wireshark file-type identifiers, sometimes more than once, and it's a pain.

If you can come up with sufficiently strong heuristics for the protocols in question, such that you can always, or 
almost always, correctly identify the protocol - and somebody isn't going to have to repeatedly tweak the heuristics, 
or even add a UI option to override it (at which point we have something not very different from an option you set when 
you do the capture) - then that might suffice.-
This is the tcpdump-workers list.
Visit https://cod.sandelman.ca/ to unsubscribe.