Re: [Wireshark-dev] overriding dissector for port 8080
Message: 4 Date: Thu, 03 Apr 2014 16:14:53 -0400 From: Jeff Morriss jeff.morriss...@gmail.com To: Developer support list for Wireshark wireshark-dev@wireshark.org Subject: Re: [Wireshark-dev] overriding dissector for port 8080 Message-ID: 533dc13d.8010...@gmail.com Content-Type: text/plain; charset=ISO-8859-1; format=flowed On 04/03/14 10:26, John Dill wrote: I have network traffic that uses TCP port 8080 for sending non-http data (on a private network with its own custom application layer on top of TCP an UDP). Is there a recommendation for how to override or remove this dissector? I still have port 80 for http traffic. I can remove port 8080 from the default http dissector TCP port options, and strip 'http-alt' out of services (to be replaced with a different well-known service name). Is there anything else? You don't have to change the services file unless you don't want to see port 8080 translated into http-alt in Wireshark. Yeah, the avionics network architecture defines its own Well Known Services for several TCP and UDP ports, so I'd have to eventually create a custom 'services' file to document all the ports. Removing port 8080 from the HTTP dissector's preference is probably the best way. If you have a custom dissector for your protocol, registering it for port 8080 *might* override the HTTP dissector but it's not guaranteed (last I checked). As Alexis mentioned Decode-As would override it. Unfortunately, I do not have the TCP dissector component working yet (the message structure has to be somewhat reverse engineered), so I'll have to try that out when I get it working. I also noticed a disabled_protos.[ch], so maybe there is a feature to disable other protocols. Is there a feature that could be used to hide protocols I don't need in the Filter Expression (to reduce the list to simplify the interface to users)? No, I don't think there's a way to simplify what's in the Filter Expression dialog short of removing dissectors from Wireshark (probably more effort than it's worth). The only reason would be to simplify the interface for test engineers who like to streamline their process (it would remove the need to constantly type the protocol abbreviation). It would happen at the end of the development cycle if at all. Thank you (and to Alexis) for your feedback. John Dill winmail.dat___ Sent via:Wireshark-dev mailing list wireshark-dev@wireshark.org Archives:http://www.wireshark.org/lists/wireshark-dev Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev mailto:wireshark-dev-requ...@wireshark.org?subject=unsubscribe
Re: [Wireshark-dev] overriding dissector for port 8080
On Apr 4, 2014, at 9:56 AM, John Dill john.d...@greenfieldeng.com wrote: I also noticed a disabled_protos.[ch], so maybe there is a feature to disable other protocols. Is there a feature that could be used to hide protocols I don't need in the Filter Expression (to reduce the list to simplify the interface to users)? No, I don't think there's a way to simplify what's in the Filter Expression dialog short of removing dissectors from Wireshark (probably more effort than it's worth). The only reason would be to simplify the interface for test engineers who like to streamline their process (it would remove the need to constantly type the protocol abbreviation). It would happen at the end of the development cycle if at all. Can’t you just create some filter macros [1] to do that for you? [1] http://www.wireshark.org/docs/wsug_html_chunked/ChDisplayFilterMacrosSection.html -hadriel ___ Sent via:Wireshark-dev mailing list wireshark-dev@wireshark.org Archives:http://www.wireshark.org/lists/wireshark-dev Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev mailto:wireshark-dev-requ...@wireshark.org?subject=unsubscribe
Re: [Wireshark-dev] overriding dissector for port 8080
Message: 2 Date: Fri, 4 Apr 2014 10:19:52 -0400 From: Hadriel Kaplan hadriel.kap...@oracle.com To: Developer support list for Wireshark wireshark-dev@wireshark.org Subject: Re: [Wireshark-dev] overriding dissector for port 8080 Message-ID: d1433e77-410e-44ed-9cb6-2cd341618...@oracle.com Content-Type: text/plain; charset=windows-1252 On Apr 4, 2014, at 9:56 AM, John Dill john.d...@greenfieldeng.com wrote: I also noticed a disabled_protos.[ch], so maybe there is a feature to disable other protocols. Is there a feature that could be used to hide protocols I don't need in the Filter Expression (to reduce the list to simplify the interface to users)? No, I don't think there's a way to simplify what's in the Filter Expression dialog short of removing dissectors from Wireshark (probably more effort than it's worth). The only reason would be to simplify the interface for test engineers who like to streamline their process (it would remove the need to constantly type the protocol abbreviation). It would happen at the end of the development cycle if at all. Can?t you just create some filter macros [1] to do that for you? [1] http://www.wireshark.org/docs/wsug_html_chunked/ChDisplayFilterMacrosSection.html That would work well for filter expressions that different test engineers would commonly use. However, there are hundreds of messages each ranging from one to several hundred data elements that engineers would have to browse to build their own expressions to begin with, and it really depends on the types of tests they are doing, or troubleshooting new problems. The Filter Expression dialog is the best place in Wireshark to locate the data elements they are looking for, so it was mentioned as a nice to have. Since often times the test engineers (or really anyone) do not have intimate knowledge of all the message traffic and memory of its exact contents (unless you can memorize several thousand pages of reference documents), much of the browsing happens in the Filter Expression dialog. Best regards, John Dill winmail.dat___ Sent via:Wireshark-dev mailing list wireshark-dev@wireshark.org Archives:http://www.wireshark.org/lists/wireshark-dev Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev mailto:wireshark-dev-requ...@wireshark.org?subject=unsubscribe
Re: [Wireshark-dev] overriding dissector for port 8080
On Apr 4, 2014, at 10:43 AM, John Dill john.d...@greenfieldeng.com wrote: The Filter Expression dialog is the best place in Wireshark to locate the data elements they are looking for, so it was mentioned as a nice to have”. Oh well if it’s just the dialog, why not just disable the other protocols? Go to menu Analyze-Enabled Protocols, and disable all and then select the ones you want enabled. Only the enabled ones show up in the Filter Expression dialog, I believe. -hadriel ___ Sent via:Wireshark-dev mailing list wireshark-dev@wireshark.org Archives:http://www.wireshark.org/lists/wireshark-dev Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev mailto:wireshark-dev-requ...@wireshark.org?subject=unsubscribe
Re: [Wireshark-dev] overriding dissector for port 8080
Message: 2 Date: Fri, 4 Apr 2014 10:59:18 -0400 From: Hadriel Kaplan hadriel.kap...@oracle.com To: Developer support list for Wireshark wireshark-dev@wireshark.org Subject: Re: [Wireshark-dev] overriding dissector for port 8080 Message-ID: 225ee544-6929-4484-a8c2-2260be860...@oracle.com Content-Type: text/plain; charset=windows-1252 On Apr 4, 2014, at 10:43 AM, John Dill john.d...@greenfieldeng.com wrote: The Filter Expression dialog is the best place in Wireshark to locate the data elements they are looking for, so it was mentioned as a nice to have?. Oh well if it?s just the dialog, why not just disable the other protocols? Go to menu Analyze-Enabled Protocols, and disable all and then select the ones you want enabled. Only the enabled ones show up in the Filter Expression dialog, I believe. That'll work! Thanks :-) winmail.dat___ Sent via:Wireshark-dev mailing list wireshark-dev@wireshark.org Archives:http://www.wireshark.org/lists/wireshark-dev Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev mailto:wireshark-dev-requ...@wireshark.org?subject=unsubscribe
[Wireshark-dev] overriding dissector for port 8080
I have network traffic that uses TCP port 8080 for sending non-http data (on a private network with its own custom application layer on top of TCP an UDP). Is there a recommendation for how to override or remove this dissector? I still have port 80 for http traffic. I can remove port 8080 from the default http dissector TCP port options, and strip 'http-alt' out of services (to be replaced with a different well-known service name). Is there anything else? I also noticed a disabled_protos.[ch], so maybe there is a feature to disable other protocols. Is there a feature that could be used to hide protocols I don't need in the Filter Expression (to reduce the list to simplify the interface to users)? Thanks, John Dill ___ Sent via:Wireshark-dev mailing list wireshark-dev@wireshark.org Archives:http://www.wireshark.org/lists/wireshark-dev Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev mailto:wireshark-dev-requ...@wireshark.org?subject=unsubscribe
Re: [Wireshark-dev] overriding dissector for port 8080
On Thu, Apr 3, 2014 at 4:26 PM, John Dill john.d...@greenfieldeng.com wrote: I have network traffic that uses TCP port 8080 for sending non-http data (on a private network with its own custom application layer on top of TCP an UDP). Is there a recommendation for how to override or remove this dissector? I still have port 80 for http traffic. I can remove port 8080 from the default http dissector TCP port options, and strip 'http-alt' out of services (to be replaced with a different well-known service name). Is there anything else? I also noticed a disabled_protos.[ch], so maybe there is a feature to disable other protocols. Is there a feature that could be used to hide protocols I don't need in the Filter Expression (to reduce the list to simplify the interface to users)? Hi, Use Decode As feature ? Thanks, John Dill ___ Sent via:Wireshark-dev mailing list wireshark-dev@wireshark.org Archives:http://www.wireshark.org/lists/wireshark-dev Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev mailto:wireshark-dev-requ...@wireshark.org?subject=unsubscribe ___ Sent via:Wireshark-dev mailing list wireshark-dev@wireshark.org Archives:http://www.wireshark.org/lists/wireshark-dev Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev mailto:wireshark-dev-requ...@wireshark.org?subject=unsubscribe
Re: [Wireshark-dev] overriding dissector for port 8080
On 04/03/14 10:26, John Dill wrote: I have network traffic that uses TCP port 8080 for sending non-http data (on a private network with its own custom application layer on top of TCP an UDP). Is there a recommendation for how to override or remove this dissector? I still have port 80 for http traffic. I can remove port 8080 from the default http dissector TCP port options, and strip 'http-alt' out of services (to be replaced with a different well-known service name). Is there anything else? You don't have to change the services file unless you don't want to see port 8080 translated into http-alt in Wireshark. Removing port 8080 from the HTTP dissector's preference is probably the best way. If you have a custom dissector for your protocol, registering it for port 8080 *might* override the HTTP dissector but it's not guaranteed (last I checked). As Alexis mentioned Decode-As would override it. I also noticed a disabled_protos.[ch], so maybe there is a feature to disable other protocols. Is there a feature that could be used to hide protocols I don't need in the Filter Expression (to reduce the list to simplify the interface to users)? No, I don't think there's a way to simplify what's in the Filter Expression dialog short of removing dissectors from Wireshark (probably more effort than it's worth). ___ Sent via:Wireshark-dev mailing list wireshark-dev@wireshark.org Archives:http://www.wireshark.org/lists/wireshark-dev Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev mailto:wireshark-dev-requ...@wireshark.org?subject=unsubscribe
