Wireshark mailing list archives
Re: Enabling/disabling ANY heuristic dissector
From: Hadriel Kaplan <hadrielk () yahoo com>
Date: Sat, 11 Jul 2015 21:14:26 -0400
On Jul 6, 2015, at 3:12 AM, Guy Harris <guy () alum mit edu> wrote: The use case for some but not other underlying protocols would appear to be "traffic atop protocol X is rarely if ever mis-identified as being for protocol Z, so leave the heuristic on, but traffic atop protocol Y is often mis-identified as being for protocol Z, so turn the heuristic off". Would that be better handled by, for example, a UI to allow the user to specify the order in which heuristic checks are done, or something such as that (and a command-line option to do the same, so that this same functionality is available in TShark)?
I had actually been thinking that someday we might indeed offer the ability to control the ordering of heuristic dissectors. I don’t think we need it now, as people seem ok with just disabling a heuristic and there aren’t that many. There is, I think, a reasonable use-case for disabling a heuristic but keeping the main protocol enabled. One example is RTP, which is extremely "correct" for its "main" protocol because it’s setup by SIP/H.323/etc., but is often "incorrect" when enabled as a heuristic, either over raw UDP or in TURN messages. (it matches too frequently) Another example is TFTP, which is reasonably correct when its main dissector hooks into port 69, but is badly inaccurate when its heuristic is used over TURN. I mention those two because at my previous job I had to deal with captures of them, and the gerrit changes 9489 and 9490 to add a preference to disable the TFTP heuristic, and disable RTP over TURN, were what triggered Michael suggesting we make the enabling/disabling of heuristics a general feature. -hadriel ___________________________________________________________________________ Sent via: Wireshark-dev mailing list <wireshark-dev () wireshark org> Archives: https://www.wireshark.org/lists/wireshark-dev Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev mailto:wireshark-dev-request () wireshark org?subject=unsubscribe
Current thread:
- Re: Enabling/disabling ANY heuristic dissector, (continued)
- Re: Enabling/disabling ANY heuristic dissector mmann78 (Jul 12)
- Re: Enabling/disabling ANY heuristic dissector Pascal Quantin (Jul 13)
- Re: Enabling/disabling ANY heuristic dissector mmann78 (Jul 13)
- Re: Enabling/disabling ANY heuristic dissector Hadriel Kaplan (Jul 13)
- Re: Enabling/disabling ANY heuristic dissector Pascal Quantin (Jul 13)
- Re: Enabling/disabling ANY heuristic dissector mmann78 (Jul 13)
- Re: Enabling/disabling ANY heuristic dissector Jim Young (Jul 13)
- Re: Enabling/disabling ANY heuristic dissector mmann78 (Jul 14)
- Re: Enabling/disabling ANY heuristic dissector Guy Harris (Jul 14)
- Re: Enabling/disabling ANY heuristic dissector Guy Harris (Jul 14)
- Re: Enabling/disabling ANY heuristic dissector Hadriel Kaplan (Jul 11)