The user can control how protocols are dissected.
Each protocol has its own dissector, so dissecting a complete packet will typically involve several dissectors. As Wireshark tries to find the right dissector for each packet (using static “routes” and heuristics “guessing”), it might choose the wrong dissector in your specific case. For example, Wireshark won’t know if you use a common protocol on an uncommon TCP port, e.g., using HTTP on TCP port 800 instead of the standard port 80.
There are two ways to control the relations between protocol dissectors: disable a protocol dissector completely or temporarily divert the way Wireshark calls the dissectors.
The Enabled Protocols dialog box lets you enable or disable specific protocols. Most protocols are enabled by default. When a protocol is disabled, Wireshark stops processing a packet whenever that protocol is encountered.
![[Note]](images/note.svg) | Note |
|---|---|
|
Disabling a protocol will prevent information about higher-layer protocols from being displayed. For example, suppose you disabled the IP protocol and selected a packet containing Ethernet, IP, TCP, and HTTP information. The Ethernet information would be displayed, but the IP, TCP and HTTP information would not - disabling IP would prevent it and the higher-layer protocols from being displayed. |
To enable or disable protocols select → . Wireshark will pop up the “Enabled Protocols” dialog box as shown in Figure 11.4, “The “Enabled Protocols” dialog box”.
To disable or enable a protocol, simply click the checkbox using the mouse. The search functionality can be used to quickly find the protocol dissector you want to disable or enable by limiting the list of protocols displayed.
The Search field is case-insensitive and matches any protocol dissector that contains the search string in its name. Typing a few letters of the protocol name in the search box will limit the list to those dissectors that contain these letters.
The first drop down menu allows you to limit the search to enabled or disabled protocol dissectors, while the second drop down menu allows you to limit the search to heuristic and non-heuristic dissectors.
Heuristic dissectors are dissectors that are not identified by a known relationship to other dissectors (i.e. IANA registered port number) but by heuristics "guessing" based on the content of the packet (i.e. A set sequence of bytes at the start of a packet). Disabling a heuristic dissector will prevent it from being used in the heuristics process, but it may still be used if it is identified by a known relationship to other dissectors. Heuristic protocol dissectors are identified as subtrees in the protocol list.
You can choose from the following actions:
- Enable all protocols in the list.
- Disable all protocols in the list.
- Toggle the state of all protocols in the list.
- Save and apply the changes and close the dialog box, see Appendix B, Files and Folders for details.
- Cancel the changes and close the dialog box.
The “Decode As” functionality lets you temporarily divert specific protocol dissections. This might be useful for example, if you do some uncommon experiments on your network.
Decode As is accessed by selecting the → . Wireshark will pop up the “Decode As” dialog box as shown in Figure 11.5, “The “Decode As” dialog box”.
In this dialog you are able to edit entries by means of the edit buttons on the left.
You can also pop up this dialog box from the context menu in the packet list or packet details. It will then contain a new line based on the currently selected packet.
These settings will be lost if you quit Wireshark or change profile unless you save the entries.
- Add new entry for selected packet
- Remove the selected entry.
- Copy the selected entry.
- Clear the list of user specified decodes.
- Apply the user specified decodes and close the dialog box.
- Save and apply the user specified decodes and close the dialog box.
- Cancel the changes and close the dialog box.