Thanks for the pointers and explanation. Will take a look at the smtp dissector.
Thanks,
Sudarshan
On Wed, Aug 26, 2009 at 4:09 PM, Guy Harris<guy@xxxxxxxxxxxx> wrote:
>
> On Aug 26, 2009, at 3:25 AM, Sudarshan Raghavan wrote:
>
>> When running a capture or when opening a captured file, wireshark
>> dissects it to build the display tree and all. What I also observed is
>> that when I select a packet in the display it once again calls the
>> dissector to analyze the packet. This seems to be a little wasteful
>> since the analysis done earlier is discarded.
>
> That depends on what you want to waste.
>
> *Not* discarding the analysis done earlier would require
>
> 1) generating the full protocol tree for every packet when reading in
> the capture (even if the full information from the protocol tree isn't
> needed at that point)
>
> and
>
> 2) storing that tree for every packet.
>
> Many years ago, when we first split the protocol tree from the tree
> widget used to display the packet, there was a bug that caused the
> protocol tree for a packet not to be freed when Ethereal (as it was
> called at the time) was finished with it - I discovered this when
> filtering a large capture, because my machine thrashed like crazy (to
> the point of unusability).
>
> In other words, it's a question of whether you want to consume lots of
> memory (possibly wastefully) or consume extra CPU.
>
>> It also poses a problem for streaming protocols like RTMP where what
>> was seen earlier decides how to make sense of the current data. For
>> example, RTMP has header optimizations by which message length is sent
>> only once and subsequent RTMP chunks use the length sent earlier.
>
> To be precise, it poses a problem for writers of dissectors of
> protocols where what was seen earlier controls how to make sense of
> the current data, so that they are required to:
>
> on the first pass through the packets, maintain state associated with
> the conversation, and construct data structures so that you can, for
> any packet, retrieve the relevant state information needed to dissect
> that packet;
>
> on all subsequent dissections of the packet, fetch that information
> and use it.
>
> See, for example, the SMTP dissector, which does exactly that.
>
>> Is there a way to turn this off and always use the initial analysis?
>
> No.
>
> The *only* way we'd consider it would be if we stored the protocol
> trees in question in a file, so that they don't take virtual memory
> (they'd take disk space, of course...).
> ___________________________________________________________________________
> Sent via: Wireshark-dev mailing list <wireshark-dev@xxxxxxxxxxxxx>
> Archives: http://www.wireshark.org/lists/wireshark-dev
> Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev
> mailto:wireshark-dev-request@xxxxxxxxxxxxx?subject=unsubscribe
>