Wireshark-dev: Re: [Wireshark-dev] speed optimizations
From: "Didier" <[email protected]>
Date: Thu, 31 Oct 2013 20:34:12 +0100
On Thu, 31 Oct 2013 11:57:35 +0000, Anders Broman wrote
> > Are wireshark's developers interested in reviewing and committing these
> reviewing ,yes certainly . Committing, depends I suspect :-)
> >-1 Base on Yami's work "snapshot feature: apply filter upon previous
displayed packets only" (without the SAT, only using a true table). help a lot
when >users are building filters incrementally or move a lot between them.
> >2 When filtering don't dissect packet if not necessary. Help a lot, can
speed filtering up to 2 orders of magnitude (twice to three time as fast common).
> Could you give a brief description on how it works or is it simpler 
> to just submit a patch? Seems like a waste to do a patch and having 
> it rejected for some reason. I have some ideas on 1 and 2 too and it 
> would be interesting to see if they are similar.

for 1) It add a new op CHECK_HISTORY in filter virtual machine, keep a cache
with the last 64 filter expressions and a per packet 64 bits filters result in
frame_data structure.

When using a new filter it try first to factorize from the cache history up to
8 sub expressions, ex:
filter history:
tcp.stream eq 6

second filter
!(tcp.stream eq 6) 
is substituted with

then it build a three-states true table for the filter expression, states are
TRUE (passed), FALSE (not passed), UNKNOWN (must dissect packet)
for the above there's one history variable and the table is:
V1  R
0   TRUE  passed
1   FALSE not passed

If there's no taps, post-dissectors or column-info there's no need to dissect
packets (minus packet which passed and have dependent frames) the filter
result is known only by looking at the packet bitfield in rescan_packet.

Another filter:
tcp.stream eq 6 and http ==> (CHECK_HISTORY 1) and http

the true table is:
V1  R
0   FALSE   known to be false without decoding packets
1   UNKNOWN must decode packets.

and it only dissect (tcp.stream eq 6) packets

I have a very rough first patch from our version working with current svn.

2) Is doing the same but with protocols ie: during the first pass (when
visited is false) it save in a per packet bitfield its protocols.

When compiling wireshark it's also extract which dissectors don't call
subdissectors or only call them via wireshark API 

Then when filtering it can:

- from the packet protocols bitfield bypass packet decoding (there's no point
to decode and filter on a http field if you already know there's no http in
the packet).

during dissect:
- bypass some 'leaf' dissectors, if a dissector don't call subdissectors and
has no interesting fields for the filter evaluation.
- set tree to NULL when calling dissectors with no 'interesting fields'. I'm
not sure this one is worth it without the AOT transform which convert a
dissector to a bunch of get_tvb..., offset += .., new_tvb_subset ...,