[Triton Circonflexe <triton+enuiqr@xxxxxxxxxx>]

Hi,

Personal opinion here: also default off but with the possibility of exceptions for heuristic known to have a low rate of false positive (value of low to be defined, of course).

The example I have in mind is (of course) Thrift where it is documented in the code to be very conservative in heuristic mode and tries much harder when forced with Decode As.

I think that the difficulty with this approach is to define the “acceptable” rate of false positive (which may very well exclude Thrift anyway).

The more magic/fixed bits and bytes the protocol has, mostly in a header, the less false positive it will generate.

My 2 cents,

Triton.

Le mer. 19 nov. 2025 à 14:53, Anders Broman <a.broman58@xxxxxxxxx> a écrit :

Hi,

Should heuristic (udp/tcp) be default off to speed up dissection of larger files? Or

should we just disable the more unusual ones?

I'm Leaning towards default off and users would have to learn to enable relevant ones.

Or is that too much to ask from inexperienced users? On the other hand it can be hard to

know if a heuristic detection is a false positive.

Best regards

Anders

_______________________________________________
Wireshark-dev mailing list -- wireshark-dev@xxxxxxxxxxxxx
To unsubscribe send an email to wireshark-dev-leave@xxxxxxxxxxxxx