1 | initial version |
Maybe you are misunderstanding, so I will answer this question.
However, this may not work in real life because TCP packets may be fragmented arbitrarily by hardware if the information sent is too long.
The domain in this problem probably not a "conversation" but a TCP reassembly. Fragmented packets need to be reassembled first and then analyzed.
See the answers to the questions below for details.
How to parse the tcp data with fragments in lua
Wireshark should then be set up to always directly call the dissector for that protocol.
This means Whireshark should be set up to disable "Try heuristic sub-dissectors first" preference.
This is the summary of the first to fourth paragraphs of this section.
For example, if the tcp.port changes or conflicts with another protocol, the dissector monitoring for a particular tcp.port will not work properly.
In this case, you need to inspect all the tcp packets to determine the protocol in another way. (Specific character string / byte sequence of header, MAC Address, etc.)
This is a heuristic dissector, but since tcp has many heuristic dissectors and each of them inspects all tcp packets, it takes too much analysis cost (time) when inspecting large capture files there is a possibility. That is why the options are disabled by default.
2 | No.2 Revision |
Maybe you are misunderstanding, so I will answer this question.
However, this may not work in real life because TCP packets may be fragmented arbitrarily by hardware if the information sent is too long.
The domain in this problem probably not a "conversation" but a TCP reassembly. Fragmented packets need to be reassembled first and then analyzed.
See the answers to the questions below for details.
How to parse the tcp data with fragments in lua
Wireshark should then be set up to always directly call the dissector for that protocol.
This means Whireshark should be set up to disable "Try heuristic sub-dissectors first" preference.
This paragraph is the summary of the first to fourth paragraphs of this section.section. [EDITED]
For example, if the tcp.port changes or conflicts with another protocol, the dissector monitoring for a particular tcp.port will not work properly.
In this case, you need to inspect all the tcp packets to determine the protocol in another way. (Specific character string / byte sequence of header, MAC Address, etc.)
This is a heuristic dissector, but since tcp has many heuristic dissectors and each of them inspects all tcp packets, it takes too much analysis cost (time) when inspecting large capture files there is a possibility. That is why the options are disabled by default.