On Apr 23, 2012, at 10:56 AM, Gerald Combs wrote:
> Wireshark has transport name resolution enabled by default.
> Unfortunately protocol numbers often get mapped to the wrong name, which
> can lead to confusion:
>
> https://ask.wireshark.org/questions/10380/what-is-commplex-main
>
> It seems like the "services" file has effectively become "a list of
> things not running on the network".
As in "a list of obscure old protocols that nobody remembers any more". :-)
> This is especially true for OSes
> that use the old-style (1024 - 4999) ephemeral port range. Is there any
> reason we shouldn't disable transport name resolution by default for the
> 1.8 release?
Sounds good to me.
It'd be interesting to see how many dissectors for stuff running atop TCP or UDP are old-fashioned dissectors registering for hardwired port numbers and how many either
1) have a port number/numbers preference;
2) are new-style dissectors that can say "this might be for the port that's nominally mine, but it's not me";
3) are heuristic dissectors;
and how often "Decode As..." is used to override whatever decision Wireshark makes.
In the early days of TCP/IP, port numbers might have been useful protocol indicators; over time they've become less useful.
