Huge thanks to our Platinum Members Endace and LiveAction,
and our Silver Member Veeam, for supporting the Wireshark Foundation and project.

Wireshark-dev: Re: [Wireshark-dev] multiple parsing of the same packets

From: Guy Harris <guy@xxxxxxxxxxxx>
Date: Wed, 30 Oct 2013 12:01:18 -0700
On Oct 30, 2013, at 7:31 AM, Evan Huus <eapache@xxxxxxxxx> wrote:

> On Wed, Oct 30, 2013 at 4:14 AM, Matthieu Patou <mat@xxxxxxxxx> wrote:
> 
>> Also is it possible to remember the dissection of packet so that we don't do
>> it again and again ?
> 
> It is quite possible, it just takes an enormous amount of memory.

Wireshark (or, as it was called at the time, Ethereal) dissectors originally directly produced a GTK+ tree widget structure, rather than a protocol tree later used to produce the display tree.  The first implementation that produced a separate protocol tree had a bug wherein the trees weren't getting freed; I noticed that when reading in a large file got *really* slow and the machine started thrashing.