Re: Save meta data to pcap-ng file during first pass dissection in Wireshark?

[Jaap Keuter <jaap.keuter () xs4all nl>]

Hi,

Interesting note. There's a basic architectural problem though, which hinders us
now and also with this option. It's that reassembly can take place at multiple
protocol layers, and these boundaries not always line up (think TCP).
There is no sure fire way to define 'the reassembled packets' since it depends
on the protocol layer you are looking at.

Besides that, storing and reading from a file, is slower than memory access, so
that won't help. It would help the memory footprint (after the first pass).

Thanks,
Jaap

On 01/23/2013 09:53 AM, Anders Broman wrote:
> Hi,
> Would it be feasible to have wireshark write packets out to a new file as they
> are analyzed during the first pass and read packets in from that
> File for the rest of the session. By doing that reassembled packets could be
> stored in the pcap-ng packet block as a new option instead of
> In memory and read back in together with the frame and stored (pointed to) in
> the fdata structure. Other metadata could probably be stored too in order to
> Speed up filtering. The new file should have some marking that the first pass
> analysis is done and some stuff can be skiped if this file is read back in or
> Reanalysed if the user so decides as all the original data should be retained.
> I'm sure there a pitfals in this kind of strategy but are there any major
> Reasons why this cant/shouldn't be done? Comments? Ideas?
>  
> Best regards
> Anders
>  

___________________________________________________________________________
Sent via:    Wireshark-dev mailing list <wireshark-dev () wireshark org>
Archives:    http://www.wireshark.org/lists/wireshark-dev
Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev
             mailto:wireshark-dev-request () wireshark org?subject=unsubscribe