Hi dev,
First I'll use the simplest case to illustrate my thinking. BTW, I have implemented this idea, so technically it is feasible :).
A user uses 'udp' to filter packets in GUI, then he uses 'tcp' to filter. At the third time, he decides to use 'udp' to filter again.
If we stored some information such as "which packet has passed the first (i.e. 'udp') filter", it may be safe to ONLY dissect these passed-filter packets. In other words, there is no need to dissect packets which did NOT pass 'udp' filter previously, when we are filter 'udp' in the third time.
The filtering process will be faster (in some cases it will be much faster). It will be nice feature If it does not break anything (such as tapping, reassembling) by only dissect part of packets.
In the general form, .this is a Boolean Satisfiability [1] problem. Assume a new display filter, say D, contains previous applied filters S1, ..., Sn.
And for packet P, if it passed Si then assigned Bi to 1, otherwise 0, so we get B1,...,Bn; then we can generate a boolean _expression_, say EXP, for D with its subtrees S1,...,S2 replaced by B1,...,Bn.
If EXP could never be true, then P will not pass D (we know this without dissecting/filtering).
If !(EXP) could never be true, then P will pass D.
If the above two are satisfied, we should dissect/filter P.
[1]
http://en.wikipedia.org/wiki/Boolean_satisfiability_problem
Comments are welcome.
Thanks!
