Wireshark mailing list archives
Re: multiple parsing of the same packets
From: Matthieu Patou <mat () samba org>
Date: Wed, 30 Oct 2013 11:20:34 -0700
On 10/30/2013 07:31 AM, Evan Huus wrote:
So what I did is that I'm dissecting the deferred RPC pointers only if tree != NULL the dissection of pointers takes a while because there is ~ 1700 top level pointers and each of them have a lot inner pointers, DRS is a very complicated protocol.On Wed, Oct 30, 2013 at 4:14 AM, Matthieu Patou <mat () samba org> wrote:Hello, I noticed long time ago that wireshark is parsing the same packet at least 3 tree times. To make it worse if I go back and forth to the same packet it will be dissected one more time. With complex protocols like DRS (directory replication for Active directory) it's really a problem as the UI freeze for a while.Is the protocol really so complex that dissecting a single packet of it takes a user-visible amount of time? That seems suspect to me.
Pardon my wireshark ignorance but it really look like the 2nd and the 3rd pass are recreating the thing from scratch.First thing, why 3 dissections initially, is there a way to reduce this to 2, I more or less understand why 2 pass are needed but 3 ...It is in theory possible, the third pass is usually either to fill in the column or tree information. We could in theory pull that straight from the second pass, but we would have to calculate in advance which packets are visible, which may or may not be easy.
Also is it possible to remember the dissection of packet so that we don't do it again and again ?It is quite possible, it just takes an enormous amount of memory. I actually hacked together a patch for this a few weeks ago while doing some performance tests [1]. [1] http://www.mail-archive.com/wireshark-dev () wireshark org/msg29107.html
Well memory is not limitless neither ... Matthieu. -- Matthieu Patou Samba Team http://samba.org ___________________________________________________________________________ Sent via: Wireshark-dev mailing list <wireshark-dev () wireshark org> Archives: http://www.wireshark.org/lists/wireshark-dev Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev mailto:wireshark-dev-request () wireshark org?subject=unsubscribe
Current thread:
- multiple parsing of the same packets Matthieu Patou (Oct 30)
- Re: multiple parsing of the same packets Anders Broman (Oct 30)
- Re: multiple parsing of the same packets Matthieu Patou (Oct 31)
- Re: multiple parsing of the same packets Evan Huus (Oct 30)
- Re: multiple parsing of the same packets Guy Harris (Oct 30)
- Re: multiple parsing of the same packets Guy Harris (Oct 30)
- Re: multiple parsing of the same packets Matthieu Patou (Oct 31)
- Re: multiple parsing of the same packets Evan Huus (Oct 30)
- Message not available
- Re: multiple parsing of the same packets Evan Huus (Oct 31)
- Re: multiple parsing of the same packets Anders Broman (Oct 30)