On Nov 20, 2025, at 11:08 PM, Guy Harris <gharris@xxxxxxxxx> wrote:
> Do we have any numbers on how much of a performance improvement results form disabling all heuristics?
...bearing in mind that disabling those heuristics could speed up dissection *because packets aren't being dissected past a certain point*.
E.g., testing with a large NFS capture (NFS is recognized by its ONC RPC program number, not by being on port 2049, and ONC RPC is recognized by heuristics) would probably show a speedup because neither the ONC RPC dissector nor the NFS dissector are called, regardless of time spent with heuristics that fail.
Note, though, that the ONC RPC dissector sets the "conversation dissector" for the TCP connection or UDP "connection" to be the ONC RPC dissector once it recognizes an ONC RPC packet, so that dissection of subsequent packets shouldn't involve the heuristics.