First time here? Check out the FAQ!
THIS IS A TEST INSTANCE. Feel free to ask and answer questions, but take care to avoid triggering too many notifications.
Ask Your Question
0

Is there a way to disable a protocol

I have vendor that arbitrarily picked TCP port 7000 for their application. This application is only run local LAN or via VPN through port forwarding so it would not ever appear on the Internet. Port 7000 was used by the Gryphon Protocol. Periodically, Wireshark actually interprets a packet as a Gryphon packet which messes things up like trying to reassemble segments from multiple packets. Is there a way to filter the protocol but keep the data or make Wireshark "blind" to the protocol? Thanks.

billcall's avatar
3
billcall
asked 2021-04-14 19:17:39 +0000
edit flag offensive 0 remove flag close merge delete

Comments

I would recommend cmaynard solution, but create a new profile. Name the profile that you will know it has Gryphon disabled. Then use this profile when troubleshooting this service.

BigFatCat's avatar BigFatCat (2021-04-14 20:31:19 +0000) edit
more
  • delete

Use your own profiles to get the maximum out of Wireshark. Laura has a good video on the subject that I strongly recommend: https://www.youtube.com/watch?v=NMCt_... (Actually I recommend you watch all of her Wireshark video's.)

hugo.vanderkooij's avatar hugo.vanderkooij (2021-04-15 07:48:56 +0000) edit
more
  • delete
add a comment see more comments

1 Answer

0

There are at least 3 potential solutions.

  1. Any protocol can be disabled via Analyze -> Enabled Protocols. Scroll down or search for Gryphon then deselect it to disable it.
  2. Manually edit the disabled_protos file located in your Personal configuration directory, assuming you are working with the Default profile. You can find the directory via Help -> About Wireshark -> Folders. Simply add gryphon as an entry in the file. If the file doesn't exist, you can manually create it. This solution is basically the same as the first one though, except you're editing the file manually instead of letting Wireshark do it, so option 1 is probably safer to do than this one, should it be your method of choice.
  3. Since the Gryphon dissector is a plugin, you could remove the gryphon.dll file from the Global Plugins directory and restart Wireshark. You may need administrator rights to do this though. Locate the Global Plugins directory via Help -> About Wireshark -> Folders, and you should find the gryphon.dll file in the epan/ subdirectory.

Personally, I'd recommend using option 1.

NOTE: When you disable a protocol, it's only disabled for a particular profile, and if you haven't created a new profile, it'll be the Default profile. So, if you want to leave the Default profile alone, you can create a new "Vendor App" profile using Edit -> Configuration Profiles..., and then only disable the Gryphon dissector in that profile. That way, you can leave it enabled in other profiles that aren't applicable when you're not analyzing that vendor's application traffic.

cmaynard's avatar
11.1k
cmaynard
answered 2021-04-14 19:35:52 +0000, updated 2021-04-14 19:38:06 +0000
edit flag offensive 0 remove flag delete link
more

Comments

Edit -> Preferences... -> Protocols -> Gryphon
change port (might still conflict with other packets but it's an option)

Chuckc's avatar Chuckc (2021-04-14 19:40:54 +0000) edit
more
  • delete
add a comment see more comments

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account. This space is reserved only for answers. If you would like to engage in a discussion, please instead post a comment under the question or an answer that you would like to discuss.

Add Answer