Guy Harris skrev 2012-05-11 05:02:
On May 10, 2012, at 1:24 AM, Anders Broman wrote:
- In the reassembly routines If I remember correctly, I might be wrong I think we may waste memory for TCP. Fragments and reassembled fragments?
- It might be possible to store file pointer and length rather than the fragment data and read in that data when needed.
Possible in some cases, although when I thought about it recently I realized that would only handle some cases.
If a reassembled packet is made up from other reassembled fragments (e.g., the unlikely-in-real-life case of reassembly of TCP segments in fragmented IP datagrams, or the more-likely case of higher-level packets reassembled from lower-level packets reassembled from TCP segments), finding the underlying chunks from the capture could be a bit of work and there wouldn't be a one-to-one correspondence between chunks referred to by the reassembly data structures and chunks from the capture file.
If a reassembled packet is made up from fragments extracted from decompressed or decrypted packets, then the chunks referred to by the reassembly data structures don't correspond *at all* to chunks from the capture file.
- Keep a sliding window of packets?
- A list of packets making up the fragment and re-read the packets as
needed?
- Different reassembly routines for the odd cases? ( flags to the routines?)
___________________________________________________________________________
Sent via: Wireshark-dev mailing list<wireshark-dev@xxxxxxxxxxxxx>
Archives: http://www.wireshark.org/lists/wireshark-dev
Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev
mailto:wireshark-dev-request@xxxxxxxxxxxxx?subject=unsubscribe