> -----Original Message-----
> From: wireshark-dev-bounces@xxxxxxxxxxxxx
> [mailto:wireshark-dev-bounces@xxxxxxxxxxxxx] On Behalf Of Guy Harris
> Sent: 31 January 2007 18:35
> To: Developer support list for Wireshark
> Subject: Re: [Wireshark-dev] [PATCH] User can select
> dissector based on packet matching display filter
>
> Douglas Pratley wrote:
>
> > b) Adds functionality analogous to dissector tables, but instead of
> > directing by field values, there is a list of display-filter /
> > sub-dissector pairs. A sub-dissector is called if the
> display filter
> > is matched by the packet.
>
> Display filter values are available only if a protocol tree
> is being constructed.
>
> This means that, if this mechanism is enabled, you have to
> force the construction of a protocol tree; presumably, if
> it's *not* enabled, construction of a protocol tree is *not*
> forced (forcing the construction of a protocol tree if the
> protocol tree won't be used imposes a significant performance cost).
Yes; I did a scan for the places where Wireshark starts dissection and
tried to make a sensible decision as to whether this would be needed in
each case where there wasn't a tree being created anyway. It's plausible
that I missed some, in which case the "new" code will have no effect on
dissection via that route.
In all cases, the new code does not force a tree to be created unless
there is at least one "dissection filter" defined (there is a quick
check function). As there are none when Wireshark starts up, this should
have no impact unless a user turns it on explicitly (although a comment
about performance in the documentation would have been good - will try
to remember to add one if / when patch has gone through).
As far as I can tell, the packet list dissection does use a tree if you
have colour filters turned on, so for "normal" Wireshark use there
should be no additional performance impact even with dissection filters
turned on (unless the user sets up lots of them).
There is currently no way to add any dissector filters in tshark, so
there should be no impact on the performance.
Cheers
Doug
> _______________________________________________
> Wireshark-dev mailing list
> Wireshark-dev@xxxxxxxxxxxxx
> http://www.wireshark.org/mailman/listinfo/wireshark-dev
>
This message should be regarded as confidential. If you have received this email in error please notify the sender and destroy it immediately.
Statements of intent shall only become binding when confirmed in hard copy by an authorised signatory. The contents of this email may relate to dealings with other companies within the Detica Group plc group of companies.
Detica Limited is registered in England under No: 1337451.
Registered offices: Surrey Research Park, Guildford, Surrey, GU2 7YP, England.
