On Sun, Jun 22, 2014 at 6:05 PM, Joerg Mayer <[email protected]> wrote:
> On Sun, Jun 22, 2014 at 05:07:19PM -0400, Evan Huus wrote: > > After Kurt's recent post I dug up an old patch I'd played with and > cleaned > > it up a bit. It still needs some work (documentation at the very least) > but > > [1] should add a -Z option to tshark which turns on "stateless" > dissection. > > You lose reassembly and all that, but you should get no memory growth at > > all. > > > > The implementation is a bit of a hack in that stateless dissection still > > does all the stateful work, it just throws it away after each packet (so > > stateless is actually slightly slower than stateful) but it seems to work > > in my simple tests. > > > > Does this seem useful to people? Ideas for a better flag (Z just happened > > to be handy)? Other thoughts, comments, suggestions? > > How about having the cake and eating it (at least partially)? > What I am thinking about is something like keeping state but only for the > last 1000 (insert your favourite number here) packets and only *then* > throwing > it away. Or is this unrealistic? > Possible, but I think it would be confusing. There's no way to do a sliding window of state, so doing this you would get reassembly *most* of the time, except when the packets being reassembled happened to cross one of those n-packet boundaries. As such the dissection would be inconsistent, which isn't very nice. Perhaps better would be a flag to throw out state every time the ring-buffer cycles files (assuming ring-buffer is enabled)? Evan
___________________________________________________________________________ Sent via: Wireshark-dev mailing list <[email protected]> Archives: http://www.wireshark.org/lists/wireshark-dev Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev mailto:[email protected]?subject=unsubscribe
