Wireshark-dev: Re: [Wireshark-dev] Problems dissecting large amounts of data

From: Brian Vandenberg <phantal@xxxxxxxxx>
Date: Tue, 26 Sep 2006 12:42:17 -0600
 Two things:

The window that I mentioned, showing progress of processed packet data, that window appears twice. Is this a redundancy that could be eliminated?

I tried the first idea I mentioned in my previous email, and it eliminated half of my problems. Previously there were a few major hangups I was experiencing:

:- First, clicking the initial packet caused the 'Processing packet data' window to appear twice.
:- Opening my dissector's tree caused the same thing to happen
:- Clicking line items in my tree, or opening subtrees would cause the 'processing' window to appear twice, then a very long delay I normally don't wait for (waited 10 min once before giving up).

I've managed to eliminate the last two by trying the 1st idea I mentioned previously. I don't know that I like the fix, but it eliminates the worst of my problems. However, as I mentioned, any ideas you may have would be appreciated.

-Brian

Brian Vandenberg wrote:
I'm writing a dissector for a protocol that is transmitted through http packets. It compresses the original data, then sends it via http. After decompressing it, I'm creating a new datasource:

new_tvb = tvb_new_real_data (raw_data, raw_data_length, raw_data_length);
tvb_set_free_cb (new_tvb, g_free);
tvb_set_child_real_data_tvbuff (tvb, new_tvb);
add_new_data_source (pinfo, new_tvb, "Raw data");

... then doing dissection on new_data. Everything seemed fine until I started dissecting packets with large amounts of raw data (100k+). The more raw data I have, the worse performance gets (go figure). When there's a large enough amount of data to dissect I get a window that says "Processing packet details", with status information such as the number of bytes processed, etc.

I've tried breaking during this process to see where in the code it's at, but visual studio never asks for a source file; it displays a disassembly window and it's not at all obvious to me where it's at in processing.

So, I guess what I'm wondering is, is this expected behavior when trying to crunch this much data? I'm only adding a few things to the tree right now, namely an FT_UINT8 (with an associated value_string array), an FT_UINT16 (displayed using BASE_DEC_HEX), and FT_BYTES; the latter may require a large number of bytes to be selected (this particular payload type could have 500k or more that gets highlighted in the tree view).

If this is expected behavior, do you have any suggested workarounds? A few things I've thought of:

:- For each payload in a given packet, generate a new data source (I'm not sure I like this idea; there could be 20-50 payloads in a given packet) :- For each payload, create a new line item in the packet list (I'm not sure how to go about this, but it's probably not hard and this seems like a decent way to approach the problem, but my qualm with it is that it seperates payloads from eachother)

 Any ideas/suggestions you may have would be appreciated.

-Brian