Wireshark · Wireshark-users: Re: [Wireshark-users] Dissect independently from the port number

["Maynard, Chris" <Christopher.Maynard@xxxxxxx>]

Most ND’s are enabled by default.  If you want to disable many of them, I don’t think a long command-line is the best way to do that.  Instead, you might want to use the Wireshark GUI initially to disable all protocols you don’t want enabled (Analyze -> Enabled Protocols).  That will create/update the “disabled_protos” file in your Wireshark profile directory, which tshark should also use.  This way, you won’t have to specify such a long list on the command-line.  There can also exist a file called “enabled_protos” that contains a list of dissectors that are normally disabled by default but have been explicitly enabled.  The “transum” dissector comes to mind here.  If you delete the “enabled_protos” file, you will restore all dissectors that are disabled by default to their disabled state.

 

For TCP, UDP and DCCP based protocols (and possibly others?), you can also control whether HD’s take precedence over ND’s via each one’s “Try heuristic sub-dissectors first” preference.  Perhaps enabling one or more of these preferences will help you?  You can enable the preference in the GUI or by directly modifying the “preferences” file if you know what you’re doing, or you can specify the option on the tshark command line, e.g., “tcp.try_heuristic_first:TRUE”

​​​​​

- Chris

 

 

From: Wireshark-users [mailto:wireshark-users-bounces@xxxxxxxxxxxxx] On Behalf Of Marcin Nawrocki
Sent: Thursday, December 7, 2017 8:29 AM
To: wireshark-users@xxxxxxxxxxxxx
Subject: [Wireshark-users] Dissect independently from the port number

 

Dear Wireshark community,

 

I would like to dissect my packets independently from the port number for a small subset of protocols.

Reading the docs (README.heuristic [1]) suggests, that normal dissectors (ND) are based on port numbers and have a higher priority than heuristic dissectors (HD). Due to FCFS detection order and performance reasons I would also like to disable all dissectors and enable the dissectors only for the protocols I am interested in.

Is this actually possible? Some dissectors seem to add a ND and HD [2], some only a HD [3], others just have a ND [4].

I guess, I need some clarification on the following command lines options and how they interact with ND/HD:

-d  <layer type>==<selector>,<decode-as protocol>

--enable-protocol <proto_name>
Enable dissection of proto_name.

--disable-protocol <proto_name>
Disable dissection of proto_name.

--enable-heuristic <short_name>
Enable dissection of heuristic protocol.

--disable-heuristic <short_name>
Disable dissection of heuristic protocol.

I'll have to work with tshark, a GUI is of no help as I have quite a lot of data and want want to dissect things automatically.

 

Thanks in advance and regards,

Marcin

[1] https://github.com/wireshark/wireshark/blob/master/doc/README.heuristic
[2] https://github.com/wireshark/wireshark/blob/b3c68951913497d0797614636ef6784becb1a5b6/epan/dissectors/packet-dnp.c
[3] https://github.com/wireshark/wireshark/blob/2832f4e97d77324b4e46aac40dae0ce898ae559d/epan/dissectors/packet-s7comm.h
[4] https://github.com/wireshark/wireshark/blob/b16d487cbc70a441d26a1052b22d1bb0132b1cbc/epan/dissectors/packet-mbtcp.c

CONFIDENTIALITY NOTICE: This message is the property of International Game Technology PLC and/or its subsidiaries and may contain proprietary, confidential or trade secret information.  This message is intended solely for the use of the addressee.  If you are not the intended recipient and have received this message in error, please delete this message from your system. Any unauthorized reading, distribution, copying, or other use of this message or its attachments is strictly prohibited.