On Oct 30, 2013, at 7:31 AM, Evan Huus <eapache@xxxxxxxxx> wrote:
> On Wed, Oct 30, 2013 at 4:14 AM, Matthieu Patou <mat@xxxxxxxxx> wrote:
>
>> Also is it possible to remember the dissection of packet so that we don't do
>> it again and again ?
>
> It is quite possible, it just takes an enormous amount of memory.
Wireshark (or, as it was called at the time, Ethereal) dissectors originally directly produced a GTK+ tree widget structure, rather than a protocol tree later used to produce the display tree. The first implementation that produced a separate protocol tree had a bug wherein the trees weren't getting freed; I noticed that when reading in a large file got *really* slow and the machine started thrashing.