Ask Your Question

Disabling unused protocols

asked 2018-10-06 05:58:49 +0000

felixbkk gravatar image

I regularly open ~100 MB files to do troubleshooting. Can I expect a marked increase in performance by disabling the unused protocols?

Is there an easy way to disable everything but the most common protocol? Perhaps editing a config file.

edit retag flag offensive close merge delete

2 Answers

Sort by ยป oldest newest most voted

answered 2018-10-06 06:08:31 +0000

updated 2018-10-06 06:18:42 +0000

It can be done.

Go to Analyze -> Enabled protocols and un-check the ones you don't need.

image description

Yes, it can increase file opening speed significantly. You can make separate profile for this purpose because Enabled protocols setting is stored on per-profile basis.

edit flag offensive delete link more


Do you have any figures backing that up?

Anders gravatar imageAnders ( 2018-10-06 06:13:22 +0000 )edit

Thank you! With over 2400 protocols do you just disable all of them and then re-add the ones that you need?

I'll have to play around with finding the right balance.

felixbkk gravatar imagefelixbkk ( 2018-10-06 06:16:59 +0000 )edit

So the major speedup is actually not dissecting protocols actually in the trace rather then overhead caused by not used dissectors.

Anders gravatar imageAnders ( 2018-10-06 18:14:17 +0000 )edit

Yes, exactly that. But it'd be interesting to test the latter case you talk about too. I'll take filtered large-size 1-TCP-stream trace and compare load speed with enabled/disabled protocols. Though I suspect there won't be much difference.

Packet_vlad gravatar imagePacket_vlad ( 2018-10-06 18:51:05 +0000 )edit

So in conclusion if you want to see everything that's in the file there isn't much gain in disabling protocol dissectors for protocols not present in the file?

Anders gravatar imageAnders ( 2018-10-06 19:13:11 +0000 )edit

answered 2018-10-06 07:26:46 +0000

updated 2018-10-06 07:27:44 +0000

Hi @Anders, did you mean speedup factors? You're right, I should've mentioned speedup highly depends on some factors:

  • Pcap file content.
  • Protocols being disabled/enabled.

The most noticeable effect I had when I was working with office uplink traces. These files were filled with a variety of different protocols from which I only worked with Ethernet -> IPv4 -> TCP chain with no Layers 5-7 needed. In this case I got 1.5 to 2.0 speedup factor, sometimes up to 2.5.

@felixbkk If you work with already filtered/prepared files containing let's say HTTP and disable protocols other than Ethernet -> IPv4 -> TCP -> HTTP chain probably you'll not get that much increase of load speed.

edit flag offensive delete link more

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Question Tools

1 follower


Asked: 2018-10-06 05:58:49 +0000

Seen: 728 times

Last updated: Oct 06 '18