Huge thanks to our Platinum Members Endace and LiveAction,
and our Silver Member Veeam, for supporting the Wireshark Foundation and project.

Wireshark-dev: Re: [Wireshark-dev] Specifying dissectors declaratively

From: Guy Harris <guy@xxxxxxxxxxxx>
Date: Wed, 19 Apr 2017 11:20:16 -0700
On Apr 19, 2017, at 4:47 AM, Roland Knall <rknall@xxxxxxxxx> wrote:

> Generally speaking we can divide new protocol languages in two different classes:
> 
> - interpreting ones
> - compiled ones
> 
> The interpreting class has LUA and wsgd as representative. They have their benefits, but I do not really like the approach of interpreting at runtime.

And I *do* like it, as

	1) it means you don't need a C/C++ compiler in order to add protocol support;

	2) there are some interesting optimization possibilities - if, for example, you're dissecting only to run some filter on the packets, interpretive code could be modified so as to skip over most packet fields, looking only at those 1) used in the filter or 2) needed in order to figure out how the packet is organized in memory (fields that give the length of other fields, fields specifying the type of a structure, etc.);

	3) the bytecode for the protocol can be "loaded on demand", which might speed up startup;

	4) if the interpreter can fit in the L1 cache, and keep most of its state in registers, it might run reasonably fast.