On Apr 13, 2010, at 2:34 PM, Edgar, Thomas wrote: > I am open to the possibility of going forward with that approach. Just to > clarify, does this work by the user preselecting the framing mechanism before > the capture is started?
Yes. > For instance, I would have to know that DNP3 is being communicated before I > start the capture? Yes. > With the timing method I am using I was going for a method to capture > anything from a COM port and then allow the parsing mechanism (like the > heuristic dissectors in Wireshark) to determine what protocol is actually > present. I am going for a more hands off user experience than requiring them > to decide beforehand which protocol to capture. What do you think? I think heuristics are what you use when you can't use anything else; if they're too strong, they will fail to identify things that they should (and people will complain about it), and if they're too weak, they will identify things that they shouldn't (and people will complain about it). We have had to tweak the heuristics in Wireshark dissectors and Wireshark file-type identifiers, sometimes more than once, and it's a pain. If you can come up with sufficiently strong heuristics for the protocols in question, such that you can always, or almost always, correctly identify the protocol - and somebody isn't going to have to repeatedly tweak the heuristics, or even add a UI option to override it (at which point we have something not very different from an option you set when you do the capture) - then that might suffice.- This is the tcpdump-workers list. Visit https://cod.sandelman.ca/ to unsubscribe.