Huge thanks to our Platinum Members Endace and LiveAction,
and our Silver Member Veeam, for supporting the Wireshark Foundation and project.

Wireshark-dev: [Wireshark-dev] Stateless Dissection

From: Evan Huus <eapache@xxxxxxxxx>
Date: Sun, 22 Jun 2014 17:07:19 -0400
After Kurt's recent post I dug up an old patch I'd played with and cleaned it up a bit. It still needs some work (documentation at the very least) but [1] should add a -Z option to tshark which turns on "stateless" dissection. You lose reassembly and all that, but you should get no memory growth at all.

The implementation is a bit of a hack in that stateless dissection still does all the stateful work, it just throws it away after each packet (so stateless is actually slightly slower than stateful) but it seems to work in my simple tests.

Does this seem useful to people? Ideas for a better flag (Z just happened to be handy)? Other thoughts, comments, suggestions?