Hi Luis,
Thanks for the response...
On Thu, Mar 27, 2008 at 04:32:02PM +0100, Luis EG Ontanon wrote:
> I think you won't get very far that way...
>
> There's a lot of static variables used to keep state, so what's likely
> to happen is that the second call to epan_dissect_new() will render
> the results of the first call unusable.
Yeah, I kinda suspected that. The development wishlist on the wiki
contains this item:
"
> I do not know for sure when and where ep_allocated memory gets
> released but my guess is that the other danger you face is that the
> second call to epan_dissect_new() will move the pointer back to the
> start of the ep memory pool and will overwrite all the allocated
> memory.
>
> Your requirements do what you want are preety much the same we have
> for going multithreaded
> (http://wiki.wireshark.org/Development/multithreading)... which is a
> huge job for 600K lines of code, considering that most of it should be
> refactored.
Okay, it's definitely more code that I now have to write but it's not
the end of the world. Just one more question related to this, though -
to be able to achieve my original goal, i.e. something like:
--------------------
epan_dissect_t *edt1, *edt2
edt1 = epan_dissect_new(...);
epan_dissect_run(edt1, &pseudo_header1, packet1, &fdata1, NULL);
edt2 = epan_dissect_new(...);
epan_dissect_run(edt2, &pseudo_header2, packet2, &fdata2, NULL);
do_something_with_dissection_results(edt1, edt2);
epan_dissect_free(edt1);
epan_dissect_free(edt2);
--------------------
I am thinking about doing something like:
--------------------
epan_dissect_t *edt;
edt = epan_dissect_new(...);
epan_dissect_run(edt, &pseudo_header1, packet1, &fdata1, NULL);
results1 = save_dissection_results(edt);
epan_dissect_run(edt, &pseudo_header2, packet2, &fdata2, NULL);
results2 = save_dissection_results(edt);
do_something_with_dissection_results(results1, results2);
epan_dissect_free(edt);
--------------------
Tshark does not have to play these games since it never has to keep in
memory dissection results for more than one packet at the same time, but
it seems to me like Wireshark does need to do something like the above
since it keeps the results of multiple dissected packets in memory.
Does anyone know if Wireshark does indeed do something like the above?
If so, are the data structures used provided by libwireshark or they are
Gtk-related o custom data structures?
Thanks!
Eloy Paris.-
