Huge thanks to our Platinum Members Endace and LiveAction,
and our Silver Member Veeam, for supporting the Wireshark Foundation and project.

Wireshark-dev: Re: [Wireshark-dev] Filebacked-tvbuffs : GSoC'13

From: Ambarisha B <b.ambarisha@xxxxxxxxx>
Date: Thu, 2 May 2013 14:55:54 +0530
On Wed, May 1, 2013 at 9:46 PM, Anders Broman <a.broman@xxxxxxxxxxxx> wrote:
It may be problematic to obtain the fragments from the original file in case it is gziped or if the fragments are
parts of decrypted packets so writing to a new file might be the best option.

Agreed. Jeff suggested that we've decently fast random access to gzipped files. So, the way I see it, we've two ways of dealing with encrypted files(and bzip'ed files):
  1. Just keep all the info in temporary files and clean up the files when free'ing the tvb's. In this case, can we use the wiretap to deal with the temporary files as well?
  2. Incase of encrypted files, we can have a "large cache" so in the worst case we are back to where we are now with them.

If encrypted packets are not so common, 2 would be ok. But I think 1 is the right way to do it. What do you guys think? Or are there more ways of dealing with this?

Cheers, Ambarish