Wireshark · Wireshark-dev: [Wireshark-dev] Re: Heuristic dissectors default on/off - selection?

Wireshark-dev: [Wireshark-dev] Re: Heuristic dissectors default on/off - selection?

From: Guy Harris <gharris@xxxxxxxxx>

Date: Thu, 20 Nov 2025 23:08:33 -0800

On Nov 19, 2025, at 6:53 AM, Anders Broman <a.broman58@xxxxxxxxx> wrote:

> Should heuristic (udp/tcp) be default off to speed up dissection of larger files? Or
> should we just disable the more unusual ones?

I'd vote for "disable the more unusual ones" - or "have profiles that disable the ones unlikely to be used in that context".

ONC RPC, for example, has some pretty good heuristics, and, at least at one point, was fairly common, even for protocols that, unlike portmap/NFS, don't have ports assigned to them (e.g., YP/NIS). I'd leave that one enabled.

Do we have any numbers on how much of a performance improvement results form disabling all heuristics?

Follow-Ups:
- [Wireshark-dev] Re: Heuristic dissectors default on/off - selection?
  - From: R Massink
- [Wireshark-dev] Re: Heuristic dissectors default on/off - selection?
  - From: Guy Harris

References:
- [Wireshark-dev] Heuristic dissectors default on/off - selection?
  - From: Anders Broman

Prev by Date: [Wireshark-dev] Re: Heuristic dissectors default on/off - selection?
Next by Date: [Wireshark-dev] Re: Heuristic dissectors default on/off - selection?
Previous by thread: [Wireshark-dev] Re: Heuristic dissectors default on/off - selection?
Next by thread: [Wireshark-dev] Re: Heuristic dissectors default on/off - selection?
Index(es):
- Date
- Thread