[Jeff Morriss <jeff.morriss.ws@xxxxxxxxx>]

On 10/11/13 10:37, Evan Huus wrote:
> On Fri, Oct 11, 2013 at 9:22 AM, Jeff Morriss <jeff.morriss.ws@xxxxxxxxx> wrote:
> > On 10/10/13 18:22, Evan Huus wrote:
> > > It might be simpler and almost as efficient to have
> > > recently-successful heuristic dissectors bubble nearer to the top of
> > > the list so they are tried sooner. Port/conversation lookups are
> > > hash-tables for the most part and likely won't be made noticeably
> > > faster by caching.
> >
> >
> > Wouldn't that expose us to the risk that the dissection actually changes on
> > the 2nd pass (because the call order of the heuristics changes)? That would
> > look pretty weird...
>
> Only if two heuristics match the same packet, which is, theoretically,
> a bug since they can't both be right.

Agreed that it's a bug but I assume it's a fairly common one.  Now false 
positives are only mildly annoying (FAQ: why are my UDP packets showing 
up as X when they are Y? Answer: Disable protocol X, maybe open a bug to 
see if we can improve the heuristics); I don't really know what would 
happen if the the dissection changed from pass to pass.