On 10/11/13 00:41, Anders Broman wrote:
Evan Huus skrev 2013-10-11 01:51:
On Thu, Oct 10, 2013 at 6:22 PM, Evan Huus<eapache@xxxxxxxxx> wrote:
It might be simpler and almost as efficient to have
recently-successful heuristic dissectors bubble nearer to the top of
the list so they are tried sooner. Port/conversation lookups are
hash-tables for the most part and likely won't be made noticeably
faster by caching.
The attached trivial patch more-or-less implements the above idea. It
isn't easy to bubble dissectors to the very head of the list because
we don't have a modifiable pointer, but it was surprisingly easy to
bubble them to *second* in the list, which should still be a
substantial improvement if there are many expensive heuristics.
I don't have any long heuristic captures that I can easily time, but
I've run a few short ones and at least it doesn't seem to break
anything.
Let me know if it helps,
Evan
In the particular case I'm looking at there is mostly no match in the
heuristics tables except false positives
the same is true for many of the uint table lookups too as there is RTP
sent from a tool simulating many
If you're looking mostly at "no match" cases then what about only
calling heuristic dissectors that are in the (hopefully stored from the
1st pass) protocols-in-frame list? Maybe it would need to not be a list
if we're looking at it that often...
