Huge thanks to our Platinum Members Endace and LiveAction,
and our Silver Member Veeam, for supporting the Wireshark Foundation and project.

Wireshark-dev: Re: [Wireshark-dev] multiple parsing of the same packets

From: Evan Huus <eapache@xxxxxxxxx>
Date: Wed, 30 Oct 2013 10:31:53 -0400
On Wed, Oct 30, 2013 at 4:14 AM, Matthieu Patou <mat@xxxxxxxxx> wrote:
> Hello,
>
> I noticed long time ago that wireshark is parsing the same packet at least 3
> tree times.
>
> To make it worse if I go back and forth to the same packet it will be
> dissected one more time.
> With complex protocols like DRS (directory replication for Active directory)
> it's really a problem as the UI freeze for a while.

Is the protocol really so complex that dissecting a single packet of
it takes a user-visible amount of time? That seems suspect to me.

> First thing, why 3 dissections initially, is there a way to reduce this to
> 2, I more or less understand why 2 pass are needed but 3 ...

It is in theory possible, the third pass is usually either to fill in
the column or tree information. We could in theory pull that straight
from the second pass, but we would have to calculate in advance which
packets are visible, which may or may not be easy.

> Also is it possible to remember the dissection of packet so that we don't do
> it again and again ?

It is quite possible, it just takes an enormous amount of memory. I
actually hacked together a patch for this a few weeks ago while doing
some performance tests [1].

[1] http://www.mail-archive.com/wireshark-dev@xxxxxxxxxxxxx/msg29107.html