Wireshark · Ethereal-dev: [Ethereal-dev] Order of subdissectors

["Lars Ruoff" <lars.ruoff@xxxxxxxxxxxxxxxxxx>]

Hi,
This question is with regard to priorities of the various sub-dissection
mechanisms:
For clarity, let me define the different sub-dissection mechanism as:
- "parent": subdissection based on info or preferences in the parent (lower
level) protocol. (for example IP -> UDP)
- "user": as choosen by the user in Decode As...
- "session": dissection based on session protocols, such as for example RTP
conversations initiated by H.225 etc.
  (is this handled with "conversations"?)
- "heuristic".

As i see it, the order in which these subdissections are tried out is:
parent, session, user, heuristic.
(I'm not sure about the "parent", but thats not available on for example the
UDP layer anyway, see below)

Is it that way?
Now, the question i ask myself is if "user" shouldnt have the highest
priority?

For example: i wanted to force decoding of some channel to T.38 (because it
WAS T.38 at some point). However the channel was decoded as RTP by H.225.
Doing a "Decode As.. T.38" will not change anything. You will have to
disable H.225 in order to see the packets decoded as T.38.
This is not very user-friendly at least.

and in this same context:
If you choose "try heuristic dissectors first" in UDP preferences, before
what will the heuristics come?

regards,
Lars Ruoff.