Wireshark-dev: [Wireshark-dev] Re: Heuristic dissectors default on/off - selection?

Date Prev · Date Next · Thread Prev · Thread Next
Date Index · Thread Index · Other Months · All Mailing Lists
From: Eugène Adell <eugene.adell@xxxxxxxxx>
Date: Fri, 21 Nov 2025 15:42:52 +0100
It would be nice to have a PCAP which shows the issue. For now I flame
graph'ed this one :
https://www.malware-traffic-analysis.net/2025/07/23/2025-07-23-ten-days-of-scans-and-probes-and-web-traffic-hitting-my-web-server.pcap.zip
(https://www.malware-traffic-analysis.net/2025/07/23/index.html) but
it's maybe not random enough and very little time is spent in trying
the heuristics.

See the attached picture.

Eugene

Le ven. 21 nov. 2025 à 10:25, Eugène Adell <eugene.adell@xxxxxxxxx> a écrit :
>
> Hi,
>
> About the Enabled Protocols dialog, it looks like the User Guide was
> not updated for a while and this specific Heuristics topic would
> benefit to be more detailed.
> I am opening an issue to track this documentation update.
>
>
> Le ven. 21 nov. 2025 à 10:21, Anders Broman <a.broman58@xxxxxxxxx> a écrit :
> >
> > The main concern I try to adress is when we have a large number of heuristics trying to match on a large mumber of packets but making no match.
> >
> > As an example one of the dissectors switched to heuristics default off deals with communication between a controler and a drone. Which must be a very rare case.
> >
> > In the gui it is easy to turn all heuristics on or off. Making a selection is more difficult as you would have to understand in what kind of environment the protocols may be used.
> >
> >
> >
> >
> > Den fre 21 nov. 2025 09:49Guy Harris <gharris@xxxxxxxxx> skrev:
> >>
> >> On Nov 20, 2025, at 11:08 PM, Guy Harris <gharris@xxxxxxxxx> wrote:
> >>
> >> > Do we have any numbers on how much of a performance improvement results form disabling all heuristics?
> >>
> >> ...bearing in mind that disabling those heuristics could speed up dissection *because packets aren't being dissected past a certain point*.
> >>
> >> E.g., testing with a large NFS capture (NFS is recognized by its ONC RPC program number, not by being on port 2049, and ONC RPC is recognized by heuristics) would probably show a speedup because neither the ONC RPC dissector nor the NFS dissector are called, regardless of time spent with heuristics that fail.
> >>
> >> Note, though, that the ONC RPC dissector sets the "conversation dissector" for the TCP connection or UDP "connection" to be the ONC RPC dissector once it recognizes an ONC RPC packet, so that dissection of subsequent packets shouldn't involve the heuristics.
> >>
> >> _______________________________________________
> >> Wireshark-dev mailing list -- wireshark-dev@xxxxxxxxxxxxx
> >> To unsubscribe send an email to wireshark-dev-leave@xxxxxxxxxxxxx
> >
> > _______________________________________________
> > Wireshark-dev mailing list -- wireshark-dev@xxxxxxxxxxxxx
> > To unsubscribe send an email to wireshark-dev-leave@xxxxxxxxxxxxx

Attachment: flame_on_2025-07-23-ten-days-of-scans-and-probes-and-web-traffic-hitting-my-web-server.jpg
Description: JPEG image