There used to be an option to enable heuristic detection for dnp3 packets. It seems to be missing as of 3.4.9. Has it been removed?

asked 2021-11-02 14:56:15 +0000

dtardogno
3 ●2

DNP option to disable port mapping and enable heuristic detection (0x0564 in first two bytes of payload), seems to be missing. Has it been removed?

answered 2021-11-02 15:15:20 +0000

grahamb

flag of United Kingdom of Great Britain and Northern Ireland

23790 ●4 ●950 ●227 https://www.wireshark.org

The preferences were removed over 6 years ago, see change 9610.

As per that change, heuristic dissectors are now enabled via the Analyze -> Enabled Protocols dialog, search for DNP3 and then use the checkboxes for dnp3_tcp or dnp3_udp as required.

Arguably the description could indicate this is for heuristic dissection.

edit flag offensive delete link

Comments

Is there a way to do this programmatically, from a plugin, or from a startup config file?

dtardogno ( 2021-11-02 17:43:32 +0000 )edit

The setting is preserved in the profile in the file heuristic_protos, e.g. with both DNP3 options checked among the entries in the file are

....
dnp3_tcp,1
dnp3_udp,1
....

or from the command line with --enable-heuristic <short_name> e.g. dnp3_tcp.

grahamb ( 2021-11-02 18:30:47 +0000 )edit

image description

Chuckc ( 2021-11-02 21:27:33 +0000 )edit

add a comment

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

There used to be an option to enable heuristic detection for dnp3 packets. It seems to be missing as of 3.4.9. Has it been removed?

1 Answer

Comments

Your Answer

Question Tools

Stats

Related questions

There used to be an option to enable heuristic detection for dnp3 packets. It seems to be missing as of 3.4.9. Has it been removed? edit

1 Answer

Comments

Your Answer

Question Tools

Stats

Related questions

There used to be an option to enable heuristic detection for dnp3 packets. It seems to be missing as of 3.4.9. Has it been removed?