Wireshark-dev: Re: [Wireshark-dev] Duplicate heuristic short_name "XYZ"
From: Guy Harris <[email protected]>
Date: Sun, 3 Jan 2016 11:41:56 -0800
On Jan 3, 2016, at 9:35 AM, Michael Mann <[email protected]> wrote:

> To make Decode As less confusing, Wireshark is enforcing unique protocols for each table so duplicate entries don't show up in a Decode As list.  This was a bigger problem with TCP and UDP were 1 protocol would have multiple dissectors that would do drastically different dissection, but you couldn't tell which was which from the dialog.

Most - but not all! - protocols that run over both TCP and UDP have a different encapsulation over TCP, as a packet length field has to be added when running over TCP (as the service TCP offers is a byte stream service, not a packet service).

But if you have a protocol that runs over multiple lower-level protocols, and *doesn't* require different encapsulations when run over different protocols, it *really* shouldn't be described as N different protocols based solely on running atop N different lower-level protocols.

And that applies equally strongly to a heuristic vs. a non-heuristic dissector - the protocols aren't different based solely on whether the dissector looks at the packet data or whether it's invoked for particular values of a lower-level protocol field.

(And, frankly, I find

	Aeron					Aeron Protocol
	    aeron_udp				Aeron over UDP

confusing, so I'm not convinced this policy makes Decode As *usefully* less confusing.  If "Aeron over UDP" is disabled, does that mean that Wireshark will *never* treat *any* UDP packets as Aeron packets under *any* circumstances with *any* configuration of Wireshark, including Decode As?)