Re: Stateless Dissection

[Evan Huus <eapache () gmail com>]

On Sun, Jun 22, 2014 at 6:05 PM, Joerg Mayer <jmayer () loplof de> wrote:

> On Sun, Jun 22, 2014 at 05:07:19PM -0400, Evan Huus wrote:
> > After Kurt's recent post I dug up an old patch I'd played with and
> cleaned
> > it up a bit. It still needs some work (documentation at the very least)
> but
> > [1] should add a -Z option to tshark which turns on "stateless"
> dissection.
> > You lose reassembly and all that, but you should get no memory growth at
> > all.
> >
> > The implementation is a bit of a hack in that stateless dissection still
> > does all the stateful work, it just throws it away after each packet (so
> > stateless is actually slightly slower than stateful) but it seems to work
> > in my simple tests.
> >
> > Does this seem useful to people? Ideas for a better flag (Z just happened
> > to be handy)? Other thoughts, comments, suggestions?
>
> How about having the cake and eating it (at least partially)?
> What I am thinking about is something like keeping state but only for the
> last 1000 (insert your favourite number here) packets and only *then*
> throwing
> it away. Or is this unrealistic?

Possible, but I think it would be confusing. There's no way to do a sliding
window of state, so doing this you would get reassembly *most* of the time,
except when the packets being reassembled happened to cross one of those
n-packet boundaries. As such the dissection would be inconsistent, which
isn't very nice.

Perhaps better would be a flag to throw out state every time the
ring-buffer cycles files (assuming ring-buffer is enabled)?

Evan

___________________________________________________________________________
Sent via:    Wireshark-dev mailing list <wireshark-dev () wireshark org>
Archives:    http://www.wireshark.org/lists/wireshark-dev
Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev
             mailto:wireshark-dev-request () wireshark org?subject=unsubscribe