Wireshark-dev: Re: [Wireshark-dev] multiple parsing of the same packets
From: Guy Harris <[email protected]>
Date: Wed, 30 Oct 2013 12:01:18 -0700
On Oct 30, 2013, at 7:31 AM, Evan Huus <[email protected]> wrote:

> On Wed, Oct 30, 2013 at 4:14 AM, Matthieu Patou <[email protected]> wrote:
> 
>> Also is it possible to remember the dissection of packet so that we don't do
>> it again and again ?
> 
> It is quite possible, it just takes an enormous amount of memory.

Wireshark (or, as it was called at the time, Ethereal) dissectors originally directly produced a GTK+ tree widget structure, rather than a protocol tree later used to produce the display tree.  The first implementation that produced a separate protocol tree had a bug wherein the trees weren't getting freed; I noticed that when reading in a large file got *really* slow and the machine started thrashing.