Hi, Would it be feasible to have wireshark write packets out to a new file as they are analyzed during the first pass and read packets in from that File for the rest of the session. By doing that reassembled packets could be stored in the pcap-ng packet block as a new option instead of In memory and read back in together with the frame and stored (pointed to) in the fdata structure. Other metadata could probably be stored too in order to Speed up filtering. The new file should have some marking that the first pass analysis is done and some stuff can be skiped if this file is read back in or Reanalysed if the user so decides as all the original data should be retained. I'm sure there a pitfals in this kind of strategy but are there any major Reasons why this cant/shouldn't be done? Comments? Ideas?
Best regards Anders
___________________________________________________________________________ Sent via: Wireshark-dev mailing list <[email protected]> Archives: http://www.wireshark.org/lists/wireshark-dev Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev mailto:[email protected]?subject=unsubscribe
