Dear Wireshark community,
I would like to dissect my packets independently from the port
number for a small subset of protocols.
Reading the docs (README.heuristic [1]) suggests, that normal
dissectors (ND) are based on port numbers and have a higher
priority than heuristic dissectors (HD). Due to FCFS detection
order and performance reasons I would also like to disable all
dissectors and enable the dissectors only for the protocols I am
interested in.
Is this actually possible? Some dissectors seem to add a ND and
HD [2], some only a HD [3], others just have a ND [4].
I guess, I need some clarification on the following command lines
options and how they interact with ND/HD:
-d <layer type>==<selector>,<decode-as
protocol>
--enable-protocol <proto_name>
Enable dissection of proto_name.
--disable-protocol <proto_name>
Disable dissection of proto_name.
--enable-heuristic <short_name>
Enable dissection of heuristic protocol.
--disable-heuristic <short_name>
Disable dissection of heuristic protocol.
I'll have to work with tshark, a GUI is of no help as I have quite a
lot of data and want want to dissect things automatically.
Thanks in advance and regards,
Marcin
[1] https://github.com/wireshark/wireshark/blob/master/doc/README.heuristic
[2] https://github.com/wireshark/wireshark/blob/b3c68951913497d0797614636ef6784becb1a5b6/epan/dissectors/packet-dnp.c
[3] https://github.com/wireshark/wireshark/blob/2832f4e97d77324b4e46aac40dae0ce898ae559d/epan/dissectors/packet-s7comm.h
[4] https://github.com/wireshark/wireshark/blob/b16d487cbc70a441d26a1052b22d1bb0132b1cbc/epan/dissectors/packet-mbtcp.c
