Wireshark-bugs: [Wireshark-bugs] [Bug 12168] Some RPC messages sent over TCP not recognized heur

Date: Mon, 21 Mar 2016 01:27:27 +0000

Comment # 5 on bug 12168 from
(In reply to Jean Spector from comment #3)
> Presuming most users don't really need to recognize all the protocols in
> existence, maybe there could be other solutions - workarounds, really:
> * Let the user-specified "Decode As" take priority over the
> heuristics-driven decision (already mentioned above, adding it here for
> completeness' sake)

We'd have to separate user-specified "Decode As" from dissector-specified
registrations in order to do that.  That might be worth doing.

> * Let the user change the priority of protocols, e.g. RPC/NFS would go
> higher than SSL.

There's no such priority to be changed.  SSL is registering as "traffic for TCP
port XXX", RPC is registering as "let me take a look at it to see if it looks
like RPC".

The only priority is whether "this is for port XXX", for all values of XXX, is
checked first, or whether "let me take a look this to see if it looks like
YYY", for all values of YYY, is checked first.  That's the "Try heuristic
sub-dissectors first" preferences for TCP and UDP; if that preference is
enabled for a given protocol, the "let me take a look this to see if it looks
like YYY" dissectors get to look at the packets carried by that protocol first
and if one of them says "yes", the others don't get to see it, and if it's
disabled, the "this is for port XXX" dissectors get to see it first and, if
it's to or from that port, the "let me take a look this to see if it looks like
YYY" dissectors don't get to look at it.

> * Let the user disable some dissectors.

That's been a feature of Wireshark for years.  In 2.x, go to Analyze -> Enabled
Protocols..., search for the protocol (SSL, in this case), and un-check its
checkbox.


You are receiving this mail because:
  • You are watching all bug changes.