The user can control how protocols are dissected.
Each protocol has its own dissector, so dissecting a complete packet willtypically involve several dissectors. As Wireshark tries to find theright dissector for each packet (using static "routes" and heuristics"guessing"), it might choose the wrong dissector in your specificcase. For example, Wireshark won't know if you use a common protocolon an uncommon TCP port, e.g. using HTTP on TCP port 800 instead ofthe standard port 80.
There are two ways to control the relations between protocoldissectors: disable a protocol dissector completely or temporarilydivert the way Wireshark calls the dissectors.
The Enabled Protocols dialog box lets you enable ordisable specific protocols; all protocols are enabled by default.When a protocol is disabled, Wireshark stops processing a packetwhenever that protocol is encountered.
 | Note! |
|---|---|
Disabling a protocol will prevent information about higher-layerprotocols from being displayed. For example,suppose you disabled the IP protocol and selecteda packet containing Ethernet, IP, TCP, and HTTPinformation. The Ethernet information would bedisplayed, but the IP, TCP and HTTP informationwould not - disabling IP would prevent it andthe other protocols from being displayed. |
To enable/disable protocols select the Enabled Protocols... item from the Analyze menu; Wireshark will pop up the "Enabled Protocols" dialog box as shown in Figure9.5, “The "Enabled Protocols" dialog box”.
Figure9.5.The "Enabled Protocols" dialog box
To disable or enable a protocol, simply click on it using themouse or press the space bar when the protocol is highlighted. Note that typing the first few letters of the protocol name when the Enabled Protocols dialog box is active will temporarily open a search text box and automatically select the first matching protocol name (if it exists).
 | Warning! |
|---|---|
You have to use the Save button to save your settings. The OK or Applybuttons will not save your changes permanently, so they will be lostwhen Wireshark is closed. |
You can choose from the following actions:
Enable All: Enable all protocols in the list.
Disable All: Disable all protocols in the list.
Invert: Toggle the state of all protocols in thelist.
OK: Apply the changes and close the dialog box.
Apply: Apply the changes and keep the dialog boxopen.
Save: Save the settings to the disabled_protos, seeAppendixA, Files and Folders for details.
Cancel: Cancel the changes and close the dialog box.
The "Decode As" functionality let you temporarily divert specificprotocol dissections. This might be useful for example, if you do someuncommon experiments on your network.
Decode As is accessed by selecting the Decode As... item from the Analyze menu; Wireshark will pop up the "Decode As" dialog box as shown in Figure9.6, “The "Decode As" dialog box”.
Figure9.6.The "Decode As" dialog box
The content of this dialog box depends on the selected packet when itwas opened.
| Warning! |
|---|---|
The user specified decodes can not be saved. If you quit Wireshark,these settings will be lost. |
Decode: Decode packets the selected way.
Do not decode: Do not decode packets the selectedway.
Link/Network/Transport: Specify the network layerat which "Decode As" should take place. Which of these pages areavailable depends on the content of the selected packet when thisdialog box is opened.
Show Current: Open a dialog box showing thecurrent list of user specified decodes.
OK: Apply the currently selected decode and closethe dialog box.
Apply: Apply the currently selected decode and keepthe dialog box open.
Cancel: Cancel the changes and close the dialog box.
