Wireshark mailing list archives

Re: Optimization - accumulative filters?

From: "Anders Broman" <anders.broman () ericsson com>
Date: Wed, 18 Nov 2009 12:24:53 +0100

 

-----Original Message-----
From: wireshark-dev-bounces () wireshark org [mailto:wireshark-dev-bounces () wireshark org] On Behalf Of didier
Sent: den 18 november 2009 05:51
To: Developer support list for Wireshark
Subject: Re: [Wireshark-dev] Optimization - accumulative filters?

Hi,
Le jeudi 05 novembre 2009 à 23:48 +0800, yami a écrit :

I once implemented a quite usable prototype with similar idea, but 
more general.

You may be interested in it:
  http://wiki.wireshark.org/Development/FastFiltering

(Oooh, I have not update the patch for a long time...)

If there's an interest I can extract my stuff based on Yami's work.

Patches would be:
1) don't decode packets when clearing the filter expression.

2) use copy by value rather than by reference for fvalues in expression syntax tree. It's needed later and 
anyway: 
- It's not in the fast path.
- It close a trivial memory leak.

3) Minor change in filter compilation: define a check only syntax function.

4) Use Yami work for finding and saving common subexpressions in filters, saved in a 64 bits field in frame 
data.

Notes:
- It doesn't use Yami SAT but builds a true table and checks against it.
Ex:
tcp.stream==0 ==> save as v1
!(tcp.stream==0) ==> reduce to '!v1', save as v2 True table for !v1
v1  S
0   1
1   0
No need to decode packets

'!(tcp.stream==0) && tcp.port==foo' ==> reduce to 'v2 && tcp.port==foo'
True table
v2  tcp.port==foo  S
0     unknown      0
1     unknown      2
0     unknown      0
1     unknown      2
Only have to decode packet if S == 2

Didier


I had a much simpler aproach in mind 
- Add a new filter box in the filter toolbar.
- When a filter is added "run" it on the vissible packets e.g the ones that pased the previous filter
  using the new_packet_list's "vissible packets list"

Regards
Anders


___________________________________________________________________________
Sent via:    Wireshark-dev mailing list <wireshark-dev () wireshark org>
Archives:    http://www.wireshark.org/lists/wireshark-dev
Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev
             mailto:wireshark-dev-request () wireshark org?subject=unsubscribe
___________________________________________________________________________
Sent via:    Wireshark-dev mailing list <wireshark-dev () wireshark org>
Archives:    http://www.wireshark.org/lists/wireshark-dev
Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev
             mailto:wireshark-dev-request () wireshark org?subject=unsubscribe

Current thread:

Optimization - accumulative filters? Anders Broman (Nov 03)
- Re: Optimization - accumulative filters? Sake Blok (Nov 03)
  - Re: Optimization - accumulative filters? yami (Nov 05)
    - Re: Optimization - accumulative filters? didier (Nov 17)
    - Re: Optimization - accumulative filters? Anders Broman (Nov 18)
    - LTE protocol family developped ? BARILLY YANN (Nov 18)
    - Re: LTE protocol family developped ? Martin Mathieson (Nov 18)
  - Re: Optimization - accumulative filters? yami (Nov 05)