On 04/03/14 10:26, John Dill wrote:
I have network traffic that uses TCP port 8080 for sending non-http data
(on a private network with its own custom application layer on top of
TCP an UDP). Is there a recommendation for how to override or remove
this dissector? I still have port 80 for http traffic.
I can remove port 8080 from the default http dissector TCP port options,
and strip 'http-alt' out of services (to be replaced with a different
well-known service name). Is there anything else?
You don't have to change the services file unless you don't want to see
port 8080 translated into "http-alt" in Wireshark.
Removing port 8080 from the HTTP dissector's preference is probably the
best way. If you have a custom dissector for your protocol, registering
it for port 8080 *might* override the HTTP dissector but it's not
guaranteed (last I checked). As Alexis mentioned Decode-As would
override it.
I also noticed a disabled_protos.[ch], so maybe there is a feature to
disable other protocols. Is there a feature that could be used to hide
protocols I don't need in the Filter Expression (to reduce the list to
simplify the interface to users)?
No, I don't think there's a way to simplify what's in the Filter
Expression dialog short of removing dissectors from Wireshark (probably
more effort than it's worth).