Thanks for the pointers and explanation. Will take a look at the smtp dissector.
Thanks, Sudarshan On Wed, Aug 26, 2009 at 4:09 PM, Guy Harris<[email protected]> wrote: > > On Aug 26, 2009, at 3:25 AM, Sudarshan Raghavan wrote: > >> When running a capture or when opening a captured file, wireshark >> dissects it to build the display tree and all. What I also observed is >> that when I select a packet in the display it once again calls the >> dissector to analyze the packet. This seems to be a little wasteful >> since the analysis done earlier is discarded. > > That depends on what you want to waste. > > *Not* discarding the analysis done earlier would require > > 1) generating the full protocol tree for every packet when reading in > the capture (even if the full information from the protocol tree isn't > needed at that point) > > and > > 2) storing that tree for every packet. > > Many years ago, when we first split the protocol tree from the tree > widget used to display the packet, there was a bug that caused the > protocol tree for a packet not to be freed when Ethereal (as it was > called at the time) was finished with it - I discovered this when > filtering a large capture, because my machine thrashed like crazy (to > the point of unusability). > > In other words, it's a question of whether you want to consume lots of > memory (possibly wastefully) or consume extra CPU. > >> It also poses a problem for streaming protocols like RTMP where what >> was seen earlier decides how to make sense of the current data. For >> example, RTMP has header optimizations by which message length is sent >> only once and subsequent RTMP chunks use the length sent earlier. > > To be precise, it poses a problem for writers of dissectors of > protocols where what was seen earlier controls how to make sense of > the current data, so that they are required to: > > on the first pass through the packets, maintain state associated with > the conversation, and construct data structures so that you can, for > any packet, retrieve the relevant state information needed to dissect > that packet; > > on all subsequent dissections of the packet, fetch that information > and use it. > > See, for example, the SMTP dissector, which does exactly that. > >> Is there a way to turn this off and always use the initial analysis? > > No. > > The *only* way we'd consider it would be if we stored the protocol > trees in question in a file, so that they don't take virtual memory > (they'd take disk space, of course...). > ___________________________________________________________________________ > Sent via: Wireshark-dev mailing list <[email protected]> > Archives: http://www.wireshark.org/lists/wireshark-dev > Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev > mailto:[email protected]?subject=unsubscribe > ___________________________________________________________________________ Sent via: Wireshark-dev mailing list <[email protected]> Archives: http://www.wireshark.org/lists/wireshark-dev Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev mailto:[email protected]?subject=unsubscribe
