ANNOUNCEMENT: Live Wireshark University & Allegro Packets online APAC Wireshark Training Session
April 17th, 2024 | 14:30-16:00 SGT (UTC+8) | Online
Wireshark logo

Wireshark-dev: Re: [Wireshark-dev] Okay to dissect more than one packet at the same time?

Date Prev · Date Next · Thread Prev · Thread Next
Date Index · Thread Index · Other Months · All Mailing Lists
From: "Luis EG Ontanon" <luis@xxxxxxxxxxx>
Date: Thu, 27 Mar 2008 16:32:02 +0100
I think you won't get very far that way...

There's a lot of static variables used to keep state, so what's likely
to happen is that the second call to epan_dissect_new() will render
the results of the first call unusable.

I do not know for sure when and where ep_allocated memory gets
released but my guess is that the other danger you face is that the
second call to epan_dissect_new() will move the pointer back to the
start of the ep memory pool and will overwrite all the allocated
memory.

Your requirements do what you want are preety much the same we have
for going multithreaded
(http://wiki.wireshark.org/Development/multithreading)... which is a
huge job for 600K lines of code, considering that most of it should be
refactored.

Luis

On Thu, Mar 27, 2008 at 4:06 PM, Eloy Paris <peloy@xxxxxxxxxx> wrote:
> Hello,
>
>  Is it possible to dissect more than one packet at the same time. Or
>  asked another way, is it okay to keep in memory the result of more than
>  one packet dissection? I haven't looked at what wireshark does (and
>  perhaps that is why I don't know the answer to this) but I did look at
>  what tshark does and it calls epan_dissect_run() in a serialized manner,
>  i.e. read packet, dissect packet, output result, read next packet,
>  dissect, output result, and so on.
>
>  In terms of code, what I would like to do is something like this:
>
>     epan_dissect_t *edt1, *edt2
>
>     edt1 = epan_dissect_new(...);
>     epan_dissect_run(edt1, &pseudo_header1, packet1, &fdata1, NULL);
>
>     edt2 = epan_dissect_new(...);
>     epan_dissect_run(edt2, &pseudo_header2, packet2, &fdata2, NULL);
>
>     do_something_with_dissection_results(edt1, edt2);
>
>     epan_dissect_free(edt1);
>     epan_dissect_free(edt2);
>
>  Is the above an okay thing to do? Any gotchas and/or things to avoid?
>
>  Thanks in advance.
>
>  Eloy Paris.-
>
>  _______________________________________________
>  Wireshark-dev mailing list
>  Wireshark-dev@xxxxxxxxxxxxx
>  http://www.wireshark.org/mailman/listinfo/wireshark-dev
>



-- 
This information is top security. When you have read it, destroy yourself.
-- Marshall McLuhan
Wireshark logo footer

© Wireshark Foundation · Privacy Policy

Facebook·Mastodon·Twitter·YouTube