Wireshark mailing list archives
Dissect independently from the port number
From: Marcin Nawrocki <marcin.nawrocki () fu-berlin de>
Date: Thu, 7 Dec 2017 14:29:08 +0100
Dear Wireshark community,I would like to dissect my packets independently from the port number for a small subset of protocols.
Reading the docs (README.heuristic [1]) suggests, that normal dissectors (ND) are based on port numbers and have a higher priority than heuristic dissectors (HD). Due to FCFS detection order and performance reasons I would also like to disable all dissectors and enable the dissectors only for the protocols I am interested in.
Is this actually possible? Some dissectors seem to add a ND and HD [2], some only a HD [3], others just have a ND [4].
I guess, I need some clarification on the following command lines options and how they interact with ND/HD:
I'll have to work with tshark, a GUI is of no help as I have quite a lot of data and want want to dissect things automatically.-d <layer type>==<selector>,<decode-as protocol> --enable-protocol <proto_name> Enable dissection of proto_name. --disable-protocol <proto_name> Disable dissection of proto_name. --enable-heuristic <short_name> Enable dissection of heuristic protocol. --disable-heuristic <short_name> Disable dissection of heuristic protocol.
Thanks in advance and regards, Marcin [1] https://github.com/wireshark/wireshark/blob/master/doc/README.heuristic[2] https://github.com/wireshark/wireshark/blob/b3c68951913497d0797614636ef6784becb1a5b6/epan/dissectors/packet-dnp.c [3] https://github.com/wireshark/wireshark/blob/2832f4e97d77324b4e46aac40dae0ce898ae559d/epan/dissectors/packet-s7comm.h [4] https://github.com/wireshark/wireshark/blob/b16d487cbc70a441d26a1052b22d1bb0132b1cbc/epan/dissectors/packet-mbtcp.c
<https://github.com/wireshark/wireshark/blob/2832f4e97d77324b4e46aac40dae0ce898ae559d/epan/dissectors/packet-s7comm.h>
___________________________________________________________________________ Sent via: Wireshark-users mailing list <wireshark-users () wireshark org> Archives: https://www.wireshark.org/lists/wireshark-users Unsubscribe: https://www.wireshark.org/mailman/options/wireshark-users mailto:wireshark-users-request () wireshark org?subject=unsubscribe
Current thread:
- Dissect independently from the port number Marcin Nawrocki (Dec 07)