On Wed, 14 Jan 2004, Guy Harris wrote:
>
> On Jan 14, 2004, at 5:52 PM, Richard Sharpe wrote:
>
> > He uses tethereal with the SQL patch to store info in MySQL and then
> > does
> > lots of interesting postprocessing on the data. He claims that they can
> > process at about 30Mbps, and, using 0.9.16, experiences something like
> > a
> > 300% speed improvement if he removes all but the half-dozen protocols
> > they
> > are interested in and the protocols required to reach those protocols.
>
> Because it just doesn't bother calling their dissectors, but just
> dissects them as data?
Yes, that is what I thought.
> So what they really want is a way to prevent particular dissectors from
> handing anything off to subdissectors. That *could* be done at startup
> time, but I could also imagine somebody wanting to dynamically turn off
> handoff from some particular protocol *and* turn it on again, so that
> they could, for example, look at a trace purely from the standpoint of
> TCP and then turn handoff from TCP back on again.
Yes, that is true, but in this case, he would probably re-run tethereal
over the same capture with a different set of protocols (perhaps none)
disabled.
> The various handoff routines currently don't know what dissector is
> doing the handoff; that could be changed in a couple of ways:
>
> 1) make it an explicit argument;
>
> 2) keep that information in the "packet_info" structure.
>
> The former requires API changes; the latter wouldn't, as the handoff
> routines could maintain that, just as they maintain the "current_proto"
> member of the "packet_info" structure. (It'd require changes in those
> few places where handoff isn't done with handoff routines - those could
> be found by looking for places where "pinfo->current_proto" is
> changed.)
Hmmm, it is not clear to me how that helps to prevent dissection beyond a
particular horizon ... perhaps I am just jetlagged ...
Regards
-----
Richard Sharpe, rsharpe[at]richardsharpe.com, rsharpe[at]samba.org,
sharpe[at]ethereal.com, http://www.richardsharpe.com
