Wireshark mailing list archives
Re: multiple parsing of the same packets
From: Matthieu Patou <mat () samba org>
Date: Mon, 04 Nov 2013 00:14:36 -0800
On 11/01/2013 11:53 AM, Didier wrote:
HiTo make it worse if I go back and forth to the same packet it will be dissected one more time. With complex protocols like DRS (directory replication for Active directory) it's really a problem as the UI freeze for a while.Is the protocol really so complex that dissecting a single packet of it takes a user-visible amount of time? That seems suspect to me.So what I did is that I'm dissecting the deferred RPC pointers only if tree != NULL the dissection of pointers takes a while because there is ~ 1700 top level pointers and each of them have a lot inner pointers, DRS is a very complicated protocol.Fair enough, that's quite a bit of data to process. The packets must be enormous.The reassembled packet payload is 300K but it's compressed, after decompression it's 2MB of data.Did you profile the code or can you share a capture? Problem could be elsewhere, like in dfilter_macro_build_ftv_cache (a usual culprit)...
Yes I did, I'm writing another email about this expect news soon
It's not in dfilter_macro... it's in the dcerpc dissector at the heart of it because of the # of objects.om the second pass, but we would have to calculate in advance which
Well by DRS standard it is, and more than the size it's the number of objects that is important because of the complex structure of this kind of object.packets are visible, which may or may not be easy.Pardon my wireshark ignorance but it really look like the 2nd and the 3rd pass are recreating the thing from scratch.Every time we do a dissection it is more-or-less "from scratch". TheThis kind of massive DRS is spread on ~300 1500 bytes TCP packets.That's not a big packet :)
But then yes agreed that it's not huge packets. Matthieu. -- Matthieu Patou Samba Team http://samba.org ___________________________________________________________________________ Sent via: Wireshark-dev mailing list <wireshark-dev () wireshark org> Archives: http://www.wireshark.org/lists/wireshark-dev Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev mailto:wireshark-dev-request () wireshark org?subject=unsubscribe
Current thread:
- Re: multiple parsing of the same packets Matthieu Patou (Nov 01)
- Re: multiple parsing of the same packets Didier (Nov 01)
- Re: multiple parsing of the same packets Matthieu Patou (Nov 04)
- Re: multiple parsing of the same packets Didier (Nov 01)