Wireshark mailing list archives
Re: Idea for faster dissection on second pas
From: Anders Broman <anders.broman () ericsson com>
Date: Fri, 11 Oct 2013 15:14:48 +0000
-----Original Message----- From: wireshark-dev-bounces () wireshark org [mailto:wireshark-dev-bounces () wireshark org] On Behalf Of Evan Huus Sent: den 11 oktober 2013 16:37 To: Developer support list for Wireshark Subject: Re: [Wireshark-dev] Idea for faster dissection on second pas On Fri, Oct 11, 2013 at 9:22 AM, Jeff Morriss <jeff.morriss.ws () gmail com> wrote:
On 10/10/13 18:22, Evan Huus wrote:It might be simpler and almost as efficient to have recently-successful heuristic dissectors bubble nearer to the top of the list so they are tried sooner. Port/conversation lookups are hash-tables for the most part and likely won't be made noticeably faster by caching.Wouldn't that expose us to the risk that the dissection actually changes on the 2nd pass (because the call order of the heuristics changes)? That would look pretty weird...
If there are heuristic false positives than there isn't much we can do besides make the individual heuristics better. If the port lookup isn't effective because >you know the ports don't line up, you can select the "Try heuristics first" option which should help at least a little.
Not really as the RTP dissector is weak and defaulted off and I'm only interested in performance improvements at this point. But it brings up a question; some of the heuristic dissectors are for "unusual" protocols and not perfect and some of the "port" dissectors Are registered in the epithermal port range (I think) should we default those to off?
Only if two heuristics match the same packet, which is, theoretically, a bug since they can't both be right.
Yes but that's the name of the game for heuristics, isn't it? Regards Anders ___________________________________________________________________________ Sent via: Wireshark-dev mailing list <wireshark-dev () wireshark org> Archives: http://www.wireshark.org/lists/wireshark-dev Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev mailto:wireshark-dev-request () wireshark org?subject=unsubscribe ___________________________________________________________________________ Sent via: Wireshark-dev mailing list <wireshark-dev () wireshark org> Archives: http://www.wireshark.org/lists/wireshark-dev Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev mailto:wireshark-dev-request () wireshark org?subject=unsubscribe
Current thread:
- Re: Idea for faster dissection on second pas, (continued)
- Re: Idea for faster dissection on second pas ronnie sahlberg (Oct 10)
- Re: Idea for faster dissection on second pas Evan Huus (Oct 10)
- Re: Idea for faster dissection on second pas Anders Broman (Oct 10)
- Re: Idea for faster dissection on second pas Evan Huus (Oct 11)
- Re: Idea for faster dissection on second pas Jeff Morriss (Oct 11)
- Re: Idea for faster dissection on second pas Evan Huus (Oct 12)
- Re: Idea for faster dissection on second pas Jeff Morriss (Oct 11)
- Re: Idea for faster dissection on second pas Anders Broman (Oct 11)
- Re: Idea for faster dissection on second pas Evan Huus (Oct 11)
- Re: Idea for faster dissection on second pas Jeff Morriss (Oct 11)
- Re: Idea for faster dissection on second pas Anders Broman (Oct 11)
- Re: Idea for faster dissection on second pas Evan Huus (Oct 11)
- Re: Idea for faster dissection on second pas Evan Huus (Oct 11)
- Re: Idea for faster dissection on second pas Anders Broman (Oct 12)
- Re: Idea for faster dissection on second pas Evan Huus (Oct 12)
- Re: Idea for faster dissection on second pas Evan Huus (Oct 12)
- Re: Idea for faster dissection on second pas Jakub Zawadzki (Oct 12)
- Re: Idea for faster dissection on second pas Evan Huus (Oct 12)
- Re: Idea for faster dissection on second pas didier (Oct 11)