Wireshark · Wireshark-dev: Re: [Wireshark-dev] Stateless Dissection

[Evan Huus <eapache@xxxxxxxxx>]

On Sun, Jun 22, 2014 at 6:05 PM, Joerg Mayer <jmayer@xxxxxxxxx> wrote:

On Sun, Jun 22, 2014 at 05:07:19PM -0400, Evan Huus wrote:

> After Kurt's recent post I dug up an old patch I'd played with and cleaned
> it up a bit. It still needs some work (documentation at the very least) but
> [1] should add a -Z option to tshark which turns on "stateless" dissection.
> You lose reassembly and all that, but you should get no memory growth at
> all.
>
> The implementation is a bit of a hack in that stateless dissection still
> does all the stateful work, it just throws it away after each packet (so
> stateless is actually slightly slower than stateful) but it seems to work
> in my simple tests.
>
> Does this seem useful to people? Ideas for a better flag (Z just happened
> to be handy)? Other thoughts, comments, suggestions?

How about having the cake and eating it (at least partially)?
What I am thinking about is something like keeping state but only for the
last 1000 (insert your favourite number here) packets and only *then* throwing
it away. Or is this unrealistic?

Possible, but I think it would be confusing. There's no way to do a sliding window of state, so doing this you would get reassembly *most* of the time, except when the packets being reassembled happened to cross one of those n-packet boundaries. As such the dissection would be inconsistent, which isn't very nice.

Perhaps better would be a flag to throw out state every time the ring-buffer cycles files (assuming ring-buffer is enabled)?

Evan