Hi,
Le jeudi 05 novembre 2009 ᅵ 23:48 +0800, yami a ᅵcrit :
> I once implemented a quite usable prototype with similar idea, but
> more general.
>
> You may be interested in it:
> http://wiki.wireshark.org/Development/FastFiltering
>
> (Oooh, I have not update the patch for a long time...)
If there's an interest I can extract my stuff based on Yami's work.
Patches would be:
1) don't decode packets when clearing the filter expression.
2) use copy by value rather than by reference for fvalues in expression
syntax tree. It's needed later and anyway:
- It's not in the fast path.
- It close a trivial memory leak.
3) Minor change in filter compilation: define a check only syntax
function.
4) Use Yami work for finding and saving common subexpressions in
filters, saved in a 64 bits field in frame data.
Notes:
- It doesn't use Yami SAT but builds a true table and checks against it.
Ex:
tcp.stream==0 ==> save as v1
!(tcp.stream==0) ==> reduce to '!v1', save as v2
True table for !v1
v1 S
0 1
1 0
No need to decode packets
'!(tcp.stream==0) && tcp.port==foo' ==> reduce to 'v2 && tcp.port==foo'
True table
v2 tcp.port==foo S
0 unknown 0
1 unknown 2
0 unknown 0
1 unknown 2
Only have to decode packet if S == 2
Didier