Ask Your Question
0

Is there a way to disable a protocol

asked 2021-04-14 19:17:39 +0000

billcall gravatar image

I have vendor that arbitrarily picked TCP port 7000 for their application. This application is only run local LAN or via VPN through port forwarding so it would not ever appear on the Internet. Port 7000 was used by the Gryphon Protocol. Periodically, Wireshark actually interprets a packet as a Gryphon packet which messes things up like trying to reassemble segments from multiple packets. Is there a way to filter the protocol but keep the data or make Wireshark "blind" to the protocol? Thanks.

edit retag flag offensive close merge delete

Comments

I would recommend cmaynard solution, but create a new profile. Name the profile that you will know it has Gryphon disabled. Then use this profile when troubleshooting this service.

BigFatCat gravatar imageBigFatCat ( 2021-04-14 20:31:19 +0000 )edit

Use your own profiles to get the maximum out of Wireshark. Laura has a good video on the subject that I strongly recommend: https://www.youtube.com/watch?v=NMCt_... (Actually I recommend you watch all of her Wireshark video's.)

hugo.vanderkooij gravatar imagehugo.vanderkooij ( 2021-04-15 07:48:56 +0000 )edit

1 Answer

Sort by ยป oldest newest most voted
0

answered 2021-04-14 19:35:52 +0000

cmaynard gravatar image

updated 2021-04-14 19:38:06 +0000

There are at least 3 potential solutions.

  1. Any protocol can be disabled via Analyze -> Enabled Protocols. Scroll down or search for Gryphon then deselect it to disable it.
  2. Manually edit the disabled_protos file located in your Personal configuration directory, assuming you are working with the Default profile. You can find the directory via Help -> About Wireshark -> Folders. Simply add gryphon as an entry in the file. If the file doesn't exist, you can manually create it. This solution is basically the same as the first one though, except you're editing the file manually instead of letting Wireshark do it, so option 1 is probably safer to do than this one, should it be your method of choice.
  3. Since the Gryphon dissector is a plugin, you could remove the gryphon.dll file from the Global Plugins directory and restart Wireshark. You may need administrator rights to do this though. Locate the Global Plugins directory via Help -> About Wireshark -> Folders, and you should find the gryphon.dll file in the epan/ subdirectory.

Personally, I'd recommend using option 1.

NOTE: When you disable a protocol, it's only disabled for a particular profile, and if you haven't created a new profile, it'll be the Default profile. So, if you want to leave the Default profile alone, you can create a new "Vendor App" profile using Edit -> Configuration Profiles..., and then only disable the Gryphon dissector in that profile. That way, you can leave it enabled in other profiles that aren't applicable when you're not analyzing that vendor's application traffic.

edit flag offensive delete link more

Comments

Edit -> Preferences... -> Protocols -> Gryphon
change port (might still conflict with other packets but it's an option)

Chuckc gravatar imageChuckc ( 2021-04-14 19:40:54 +0000 )edit

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Question Tools

1 follower

Stats

Asked: 2021-04-14 19:17:39 +0000

Seen: 158 times

Last updated: Apr 14