Hi,
I am trying to understand at what point Ethereal dissects packets. From the
README.developer it sounds like a packet is only dissected when it becomes
the selected packet and needs to be displayed in the tree view. This seems
like the most memory efficient scheme because you would only need enough
memory to hold the data for all of the packets that have been captured, and
not all of the data generated by the dissectors as well.
If this is the case, how does statistics collection and filtering work?
Don't you need to have dissected a packet to apply a filter because the
filters rely on the fields extracted by the dissectors? I guess that each
packet could be dissected when it is captured, tested against the filter and
then the dissection freed.
The reason for these questions is that I have got my Windows GUI for
Ethereal working well, but it is taking far too much memory. The strategy
that I had adopted is that each packet is fully dissected when it is
received, but I wonder now if that was a good idea.
Regards,
Chris.
