Huge thanks to our Platinum Members Endace and LiveAction,
and our Silver Member Veeam, for supporting the Wireshark Foundation and project.

Wireshark-dev: Re: [Wireshark-dev] Idea for faster dissection on second pas

From: Anders Broman <anders.broman@xxxxxxxxxxxx>
Date: Fri, 11 Oct 2013 15:14:48 +0000

-----Original Message-----
From: wireshark-dev-bounces@xxxxxxxxxxxxx [mailto:wireshark-dev-bounces@xxxxxxxxxxxxx] On Behalf Of Evan Huus
Sent: den 11 oktober 2013 16:37
To: Developer support list for Wireshark
Subject: Re: [Wireshark-dev] Idea for faster dissection on second pas

On Fri, Oct 11, 2013 at 9:22 AM, Jeff Morriss <jeff.morriss.ws@xxxxxxxxx> wrote:
>> On 10/10/13 18:22, Evan Huus wrote:
>>>
>>> It might be simpler and almost as efficient to have 
>>> recently-successful heuristic dissectors bubble nearer to the top of 
>>> the list so they are tried sooner. Port/conversation lookups are 
>>> hash-tables for the most part and likely won't be made noticeably 
>>> faster by caching.
>>
>>
>> Wouldn't that expose us to the risk that the dissection actually 
>> changes on the 2nd pass (because the call order of the heuristics 
>> changes)? That would look pretty weird...
>

>If there are heuristic false positives than there isn't much we can do besides make the individual heuristics better. If the port lookup isn't effective because >you know the ports don't line up, you can select the "Try heuristics first" option which should help at least a little.

Not really as the RTP dissector is weak and defaulted off and I'm only interested in performance improvements at this point.
But it brings up a question; some of the heuristic  dissectors are for "unusual" protocols and not perfect and some of the "port" dissectors
Are registered in the epithermal port range (I think) should we default those to off?

>
>Only if two heuristics match the same packet, which is, theoretically, a bug since they can't both be right.
Yes but that's the name of the game for heuristics, isn't it?

Regards
Anders



___________________________________________________________________________
Sent via:    Wireshark-dev mailing list <wireshark-dev@xxxxxxxxxxxxx>
Archives:    http://www.wireshark.org/lists/wireshark-dev
Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev
             mailto:wireshark-dev-request@xxxxxxxxxxxxx?subject=unsubscribe