Wireshark-dev: Re: [Wireshark-dev] Subdissectors for HTTP connect traffic

From: Stephen Fisher <stephentfisher@xxxxxxxxx>
Date: Thu, 10 Aug 2006 11:46:29 -0700
On Thu, Aug 10, 2006 at 03:08:03PM +0200, Joerg Mayer wrote:

> I've two related questions regarding your patch: What will that mean 
> in terms of CPU overhead? What will that mean in terms of long term 
> memory usage?

As for memory usage, the current http dissector allocates the stat_info 
structure for every packet that it sees (ep_alloc) whereas my patch 
changes this to one seasonal allocation for each conversation (se_alloc) 
so the memory use is basically the same.  As for CPU cycles, my new code 
is only called when the request method is "CONNECT" and it is called for 
each packet of that conversation.  The current code calls the data 
dissector instead.  My new function http_payload_subdissector() is 
fairly short, consisting of: a verification that the response code to 
the connect was "ok" and splits the request uri in two (the hostname and 
the port), displaying the proxy connect hostname/port, converting the 
port number string to a number to be passed along to the 
dissect_tcp_payload() function that calls the subdissector.  This is 
similar to how the socks dissector works.

BTW, The guint32 framenum in http_info_value_t was assigned but never 
used before and no longer applicable since that structure is tied to the 
entire conversation so I took it out of packet-http.h.  I forgot to 
attach the patch to that file to the original e-mail.  The full patch 
(packet-http.c and packet-http.h) is in bugzilla bug #1017.

Thanks for your consideration of my patch.

  Steve