Wireshark · Wireshark-dev: Re: [Wireshark-dev] Optimization - accumulative filters?

Wireshark-dev: Re: [Wireshark-dev] Optimization - accumulative filters?

From: "Anders Broman" <anders.broman@xxxxxxxxxxxx>

Date: Wed, 18 Nov 2009 12:24:53 +0100

 

-----Original Message-----
From: wireshark-dev-bounces@xxxxxxxxxxxxx [mailto:wireshark-dev-bounces@xxxxxxxxxxxxx] On Behalf Of didier
Sent: den 18 november 2009 05:51
To: Developer support list for Wireshark
Subject: Re: [Wireshark-dev] Optimization - accumulative filters?

Hi,
Le jeudi 05 novembre 2009 à 23:48 +0800, yami a écrit :
>> I once implemented a quite usable prototype with similar idea, but 
>> more general.
>> 
>> You may be interested in it:
>>   http://wiki.wireshark.org/Development/FastFiltering
>> 
>> (Oooh, I have not update the patch for a long time...)
>If there's an interest I can extract my stuff based on Yami's work.
>
>Patches would be:
>1) don't decode packets when clearing the filter expression.
>
>2) use copy by value rather than by reference for fvalues in expression syntax tree. It's needed later and 
>anyway: 
>- It's not in the fast path.
>- It close a trivial memory leak.
>
>3) Minor change in filter compilation: define a check only syntax function.
>
>4) Use Yami work for finding and saving common subexpressions in filters, saved in a 64 bits field in frame 
>data.
>
>Notes:
>- It doesn't use Yami SAT but builds a true table and checks against it.
>Ex:
>tcp.stream==0 ==> save as v1
>!(tcp.stream==0) ==> reduce to '!v1', save as v2 True table for !v1
>v1  S
>0   1
>1   0
>No need to decode packets
>
>'!(tcp.stream==0) && tcp.port==foo' ==> reduce to 'v2 && tcp.port==foo'
>True table
>v2  tcp.port==foo  S
>0     unknown      0
>1     unknown      2
>0     unknown      0
>1     unknown      2
>Only have to decode packet if S == 2
>
>Didier

I had a much simpler aproach in mind 
- Add a new filter box in the filter toolbar.
- When a filter is added "run" it on the vissible packets e.g the ones that pased the previous filter
  using the new_packet_list's "vissible packets list"

Regards
Anders


___________________________________________________________________________
Sent via:    Wireshark-dev mailing list <wireshark-dev@xxxxxxxxxxxxx>
Archives:    http://www.wireshark.org/lists/wireshark-dev
Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev
             mailto:wireshark-dev-request@xxxxxxxxxxxxx?subject=unsubscribe

Follow-Ups:
- [Wireshark-dev] LTE protocol family developped ?
  - From: BARILLY YANN

References:
- [Wireshark-dev] Optimization - accumulative filters?
  - From: Anders Broman
- Re: [Wireshark-dev] Optimization - accumulative filters?
  - From: Sake Blok
- Re: [Wireshark-dev] Optimization - accumulative filters?
  - From: yami
- Re: [Wireshark-dev] Optimization - accumulative filters?
  - From: didier

Prev by Date: Re: [Wireshark-dev] Optimization - accumulative filters?
Next by Date: [Wireshark-dev] LTE protocol family developped ?
Previous by thread: Re: [Wireshark-dev] Optimization - accumulative filters?
Next by thread: [Wireshark-dev] LTE protocol family developped ?
Index(es):
- Date
- Thread