The main concern I try to adress is when we have a large number of heuristics trying to match on a large mumber of packets but making no match.
As an example one of the dissectors switched to heuristics default off deals with communication between a controler and a drone. Which must be a very rare case. In the gui it is easy to turn all heuristics on or off. Making a selection is more difficult as you would have to understand in what kind of environment the protocols may be used. Den fre 21 nov. 2025 09:49Guy Harris <[email protected]> skrev: > On Nov 20, 2025, at 11:08 PM, Guy Harris <[email protected]> wrote: > > > Do we have any numbers on how much of a performance improvement results > form disabling all heuristics? > > ...bearing in mind that disabling those heuristics could speed up > dissection *because packets aren't being dissected past a certain point*. > > E.g., testing with a large NFS capture (NFS is recognized by its ONC RPC > program number, not by being on port 2049, and ONC RPC is recognized by > heuristics) would probably show a speedup because neither the ONC RPC > dissector nor the NFS dissector are called, regardless of time spent with > heuristics that fail. > > Note, though, that the ONC RPC dissector sets the "conversation dissector" > for the TCP connection or UDP "connection" to be the ONC RPC dissector once > it recognizes an ONC RPC packet, so that dissection of subsequent packets > shouldn't involve the heuristics. > > _______________________________________________ > Wireshark-dev mailing list -- [email protected] > To unsubscribe send an email to [email protected] >
_______________________________________________ Wireshark-dev mailing list -- [email protected] To unsubscribe send an email to [email protected]
