Huge thanks to our Platinum Members Endace and LiveAction,
and our Silver Member Veeam, for supporting the Wireshark Foundation and project.

Wireshark-dev: Re: [Wireshark-dev] Idea for faster dissection on second pas

From: Jeff Morriss <jeff.morriss.ws@xxxxxxxxx>
Date: Fri, 11 Oct 2013 11:01:43 -0400
On 10/11/13 10:37, Evan Huus wrote:
On Fri, Oct 11, 2013 at 9:22 AM, Jeff Morriss <jeff.morriss.ws@xxxxxxxxx> wrote:
On 10/10/13 18:22, Evan Huus wrote:

It might be simpler and almost as efficient to have
recently-successful heuristic dissectors bubble nearer to the top of
the list so they are tried sooner. Port/conversation lookups are
hash-tables for the most part and likely won't be made noticeably
faster by caching.


Wouldn't that expose us to the risk that the dissection actually changes on
the 2nd pass (because the call order of the heuristics changes)? That would
look pretty weird...

Only if two heuristics match the same packet, which is, theoretically,
a bug since they can't both be right.

Agreed that it's a bug but I assume it's a fairly common one. Now false positives are only mildly annoying (FAQ: why are my UDP packets showing up as X when they are Y? Answer: Disable protocol X, maybe open a bug to see if we can improve the heuristics); I don't really know what would happen if the the dissection changed from pass to pass.