On 2013-08-28, at 2:42 AM, Jakub Zawadzki <darkjames-ws@xxxxxxxxxxxx> wrote:
> On Tue, Aug 27, 2013 at 04:37:27PM -0400, Evan Huus wrote:
>> We already discard a great deal of state in (single-pass) tshark that we
>> keep around in Wireshark (or two-pass tshark).
>
> Really? I'm not so sure about that 'great deal' I think right now
> we are only freeing protocol frame data list.
It's true there's nothing really significant freed besides frame data list.
>
>> I dislike the idea of two-pass by default for exactly this reason: people
>> expect tshark to be relatively state-less. This is already not the case,
>> but it's a lot worse in two-pass mode. It might even make sense to add a
>> --state-less flag to tshark that disables all options which require state.
>> I don't know how feasible that would be however.
>
> If they want state-less they should probably use tcpdump.
>
> To be honest I don't like option --state-less (it'd be really hard to find),
Ya, it was just an idle thought, but I like it less now I've thought about it.
> I'd rather make single pass really state-less (if that's what user expect).
> And if user want to do pro dissection -2 must be used anyway.
> ___________________________________________________________________________
> Sent via: Wireshark-dev mailing list <wireshark-dev@xxxxxxxxxxxxx>
> Archives: http://www.wireshark.org/lists/wireshark-dev
> Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev
> mailto:wireshark-dev-request@xxxxxxxxxxxxx?subject=unsubscribe
