I was astounded with the huge size of packet_info structure. I believe in 99% of the cases, there is no need for many of the fields within the structure. Wouldn't it make sense, for performance reasons, to leave the most usable ones within it, and create a pointer to an extra structure with the other, less commonly used stuff. I'm pretty sure it'll save memory and probably improve performance, but would require some changes and complicate a bit the programming. Thoughts?

Semi-random examples:
guint16 src_idx;              /* Source port index (Cisco MDS-specific) */
  guint16 dst_idx;              /* Dest port index (Cisco MDS-specific) */
  guint16 vsan;                 /* Fibre channel/Cisco MDS-specific */

(how many of us need the above?)

  guint16 link_number;
  guint8  annex_a_used;
  guint16 profinet_type;     /* the type of PROFINET packet (0: not a PROFINET packet) */

(It it even 16bit aligned?!)

/* Extra data for DCERPC handling and tracking of context ids */
  guint16 dcectxid;             /* Context ID (DCERPC-specific) */
  int     dcetransporttype;     /* Transport type
                                 * Value -1 means "not a DCERPC packet"
                                 */
  guint16 dcetransportsalt;    /* fid: if transporttype==DCE_CN_TRANSPORT_SMBPIPE */

(can't it reside in its own struct?, again, is it aligned on some boundaries?)