User Guide

Customizing Wireshark

153

10.4. Control Protocol dissection

The user can control how protocols are dissected.

Each protocol has its own dissector, so dissecting a complete packet will typically involve several

dissectors. As Wireshark tries to find the right dissector for each packet (using static "routes" and heuristics

"guessing"), it might choose the wrong dissector in your specific case. For example, Wireshark won't know

if you use a common protocol on an uncommon TCP port, e.g. using HTTP on TCP port 800 instead of

the standard port 80.

There are two ways to control the relations between protocol dissectors: disable a protocol dissector

completely or temporarily divert the way Wireshark calls the dissectors.

10.4.1. The "Enabled Protocols" dialog box

The Enabled Protocols dialog box lets you enable or disable specific protocols; all protocols are enabled

by default. When a protocol is disabled, Wireshark stops processing a packet whenever that protocol is

encountered.

Note!

Disabling a protocol will prevent information about higher-layer protocols from being

displayed. For example, suppose you disabled the IP protocol and selected a packet

containing Ethernet, IP, TCP, and HTTP information. The Ethernet information would be

displayed, but the IP, TCP and HTTP information would not - disabling IP would prevent it

and the other protocols from being displayed.

To enable/disable protocols select the Enabled Protocols... item from the Analyze menu; Wireshark will

pop up the "Enabled Protocols" dialog box as shown in Figure 10.5, “The "Enabled Protocols" dialog box”.