On Jan 3, 2016, at 9:35 AM, Michael Mann <mmann78@xxxxxxxxxxxx> wrote:
> To make Decode As less confusing, Wireshark is enforcing unique protocols for each table so duplicate entries don't show up in a Decode As list. This was a bigger problem with TCP and UDP were 1 protocol would have multiple dissectors that would do drastically different dissection, but you couldn't tell which was which from the dialog.
Most - but not all! - protocols that run over both TCP and UDP have a different encapsulation over TCP, as a packet length field has to be added when running over TCP (as the service TCP offers is a byte stream service, not a packet service).
But if you have a protocol that runs over multiple lower-level protocols, and *doesn't* require different encapsulations when run over different protocols, it *really* shouldn't be described as N different protocols based solely on running atop N different lower-level protocols.
And that applies equally strongly to a heuristic vs. a non-heuristic dissector - the protocols aren't different based solely on whether the dissector looks at the packet data or whether it's invoked for particular values of a lower-level protocol field.
(And, frankly, I find
Aeron Aeron Protocol
aeron_udp Aeron over UDP
confusing, so I'm not convinced this policy makes Decode As *usefully* less confusing. If "Aeron over UDP" is disabled, does that mean that Wireshark will *never* treat *any* UDP packets as Aeron packets under *any* circumstances with *any* configuration of Wireshark, including Decode As?)
