Wireshark-dev: Re: [Wireshark-dev] Reducing memory usage by not storing reassembled packet data

From: Anders Broman <a.broman@xxxxxxxxxxxx>
Date: Fri, 11 May 2012 06:40:52 +0200
Guy Harris skrev 2012-05-11 05:02:
On May 10, 2012, at 1:24 AM, Anders Broman wrote:

- In the reassembly routines If I remember correctly, I might be wrong I think we may waste memory for TCP. Fragments and reassembled fragments?
     - It might be possible to store file pointer and length rather than the fragment data and read in that data when needed.
Possible in some cases, although when I thought about it recently I realized that would only handle some cases.

If a reassembled packet is made up from other reassembled fragments (e.g., the unlikely-in-real-life case of reassembly of TCP segments in fragmented IP datagrams, or the more-likely case of higher-level packets reassembled from lower-level packets reassembled from TCP segments), finding the underlying chunks from the capture could be a bit of work and there wouldn't be a one-to-one correspondence between chunks referred to by the reassembly data structures and chunks from the capture file.

If a reassembled packet is made up from fragments extracted from decompressed or decrypted packets, then the chunks referred to by the reassembly data structures don't correspond *at all* to chunks from the capture file.
- Keep a sliding window of packets?
- A list of packets making up the fragment and re-read the packets as needed?
- Different reassembly routines for the odd cases? ( flags to the routines?)
___________________________________________________________________________
Sent via:    Wireshark-dev mailing list<wireshark-dev@xxxxxxxxxxxxx>
Archives:    http://www.wireshark.org/lists/wireshark-dev
Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev
              mailto:wireshark-dev-request@xxxxxxxxxxxxx?subject=unsubscribe