Re: Transport name resolution considered harmful?

[Guy Harris <guy () alum mit edu>]

On Apr 23, 2012, at 10:56 AM, Gerald Combs wrote:

> Wireshark has transport name resolution enabled by default.
> Unfortunately protocol numbers often get mapped to the wrong name, which
> can lead to confusion:
>
> https://ask.wireshark.org/questions/10380/what-is-commplex-main
>
> It seems like the "services" file has effectively become "a list of
> things not running on the network".

As in "a list of obscure old protocols that nobody remembers any more". :-)

> This is especially true for OSes
> that use the old-style (1024 - 4999) ephemeral port range. Is there any
> reason we shouldn't disable transport name resolution by default for the
> 1.8 release?

Sounds good to me.

It'd be interesting to see how many dissectors for stuff running atop TCP or UDP are old-fashioned dissectors 
registering for hardwired port numbers and how many either

        1) have a port number/numbers preference;

        2) are new-style dissectors that can say "this might be for the port that's nominally mine, but it's not me";

        3) are heuristic dissectors;

and how often "Decode As..." is used to override whatever decision Wireshark makes.

In the early days of TCP/IP, port numbers might have been useful protocol indicators; over time they've become less 
useful.
___________________________________________________________________________
Sent via:    Wireshark-dev mailing list <wireshark-dev () wireshark org>
Archives:    http://www.wireshark.org/lists/wireshark-dev
Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev
             mailto:wireshark-dev-request () wireshark org?subject=unsubscribe