Re: Dissect independently from the port number

["Maynard, Chris" <Christopher.Maynard () IGT com>]

Most ND’s are enabled by default.  If you want to disable many of them, I don’t think a long command-line is the best 
way to do that.  Instead, you might want to use the Wireshark GUI initially to disable all protocols you don’t want 
enabled (Analyze -> Enabled Protocols).  That will create/update the “disabled_protos” file in your Wireshark profile 
directory, which tshark should also use.  This way, you won’t have to specify such a long list on the command-line.  
There can also exist a file called “enabled_protos” that contains a list of dissectors that are normally disabled by 
default but have been explicitly enabled.  The “transum” dissector comes to mind here.  If you delete the 
“enabled_protos” file, you will restore all dissectors that are disabled by default to their disabled state.

For TCP, UDP and DCCP based protocols (and possibly others?), you can also control whether HD’s take precedence over 
ND’s via each one’s “Try heuristic sub-dissectors first” preference.  Perhaps enabling one or more of these preferences 
will help you?  You can enable the preference in the GUI or by directly modifying the “preferences” file if you know 
what you’re doing, or you can specify the option on the tshark command line, e.g., “tcp.try_heuristic_first:TRUE”
​​​​​
- Chris


From: Wireshark-users [mailto:wireshark-users-bounces () wireshark org] On Behalf Of Marcin Nawrocki
Sent: Thursday, December 7, 2017 8:29 AM
To: wireshark-users () wireshark org
Subject: [Wireshark-users] Dissect independently from the port number


Dear Wireshark community,



I would like to dissect my packets independently from the port number for a small subset of protocols.

Reading the docs (README.heuristic [1]) suggests, that normal dissectors (ND) are based on port numbers and have a 
higher priority than heuristic dissectors (HD). Due to FCFS detection order and performance reasons I would also like 
to disable all dissectors and enable the dissectors only for the protocols I am interested in.

Is this actually possible? Some dissectors seem to add a ND and HD [2], some only a HD [3], others just have a ND [4].

I guess, I need some clarification on the following command lines options and how they interact with ND/HD:

-d  <layer type>==<selector>,<decode-as protocol>

--enable-protocol <proto_name>
Enable dissection of proto_name.

--disable-protocol <proto_name>
Disable dissection of proto_name.

--enable-heuristic <short_name>
Enable dissection of heuristic protocol.

--disable-heuristic <short_name>
Disable dissection of heuristic protocol.
I'll have to work with tshark, a GUI is of no help as I have quite a lot of data and want want to dissect things 
automatically.



Thanks in advance and regards,

Marcin

[1] https://github.com/wireshark/wireshark/blob/master/doc/README.heuristic
[2] https://github.com/wireshark/wireshark/blob/b3c68951913497d0797614636ef6784becb1a5b6/epan/dissectors/packet-dnp.c
[3] https://github.com/wireshark/wireshark/blob/2832f4e97d77324b4e46aac40dae0ce898ae559d/epan/dissectors/packet-s7comm.h
[4] https://github.com/wireshark/wireshark/blob/b16d487cbc70a441d26a1052b22d1bb0132b1cbc/epan/dissectors/packet-mbtcp.c


<https://github.com/wireshark/wireshark/blob/2832f4e97d77324b4e46aac40dae0ce898ae559d/epan/dissectors/packet-s7comm.h>
CONFIDENTIALITY NOTICE: This message is the property of International Game Technology PLC and/or its subsidiaries and 
may contain proprietary, confidential or trade secret information.  This message is intended solely for the use of the 
addressee.  If you are not the intended recipient and have received this message in error, please delete this message 
from your system. Any unauthorized reading, distribution, copying, or other use of this message or its attachments is 
strictly prohibited.

___________________________________________________________________________
Sent via:    Wireshark-users mailing list <wireshark-users () wireshark org>
Archives:    https://www.wireshark.org/lists/wireshark-users
Unsubscribe: https://www.wireshark.org/mailman/options/wireshark-users
             mailto:wireshark-users-request () wireshark org?subject=unsubscribe