Re: Stateless Dissection

[Joerg Mayer <jmayer () loplof de>]

On Sun, Jun 22, 2014 at 05:07:19PM -0400, Evan Huus wrote:
> After Kurt's recent post I dug up an old patch I'd played with and cleaned
> it up a bit. It still needs some work (documentation at the very least) but
> [1] should add a -Z option to tshark which turns on "stateless" dissection.
> You lose reassembly and all that, but you should get no memory growth at
> all.
>
> The implementation is a bit of a hack in that stateless dissection still
> does all the stateful work, it just throws it away after each packet (so
> stateless is actually slightly slower than stateful) but it seems to work
> in my simple tests.
>
> Does this seem useful to people? Ideas for a better flag (Z just happened
> to be handy)? Other thoughts, comments, suggestions?

How about having the cake and eating it (at least partially)?
What I am thinking about is something like keeping state but only for the
last 1000 (insert your favourite number here) packets and only *then* throwing
it away. Or is this unrealistic?

Ciao
   Jörg
-- 
Joerg Mayer                                           <jmayer () loplof de>
We are stuck with technology when what we really want is just stuff that
works. Some say that should read Microsoft instead of technology.
___________________________________________________________________________
Sent via:    Wireshark-dev mailing list <wireshark-dev () wireshark org>
Archives:    http://www.wireshark.org/lists/wireshark-dev
Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev
             mailto:wireshark-dev-request () wireshark org?subject=unsubscribe