Some binary analysis tools have a scan/deep scan feature for more slow, memory-intensive and time-consuming analysis. Perhaps wireshark might benefit from that?
I agree that a scan against heuristics with every load as it currently does has quite some performance impact and might be undesirable, but perhaps it might be more user-friendly to have a 'deep scan' feature that users can press/toggle(but default off) when they want to see if there is any match against any known protocol?
On Nov 19, 2025, at 6:53 AM, Anders Broman <a.broman58@xxxxxxxxx> wrote:
> Should heuristic (udp/tcp) be default off to speed up dissection of larger files? Or
> should we just disable the more unusual ones?
I'd vote for "disable the more unusual ones" - or "have profiles that disable the ones unlikely to be used in that context".
ONC RPC, for example, has some pretty good heuristics, and, at least at one point, was fairly common, even for protocols that, unlike portmap/NFS, don't have ports assigned to them (e.g., YP/NIS). I'd leave that one enabled.
Do we have any numbers on how much of a performance improvement results form disabling all heuristics?
_______________________________________________
Wireshark-dev mailing list -- wireshark-dev@xxxxxxxxxxxxx
To unsubscribe send an email to wireshark-dev-leave@xxxxxxxxxxxxx