Wireshark-dev: Re: [Wireshark-dev] Idea for faster dissection on second pas
From: didier <dgautheron@xxxxxxxx>
Date: Fri, 11 Oct 2013 16:50:11 +0200
Le vendredi 11 octobre 2013 à 09:22 -0400, Jeff Morriss a écrit :
> On 10/10/13 18:22, Evan Huus wrote:
> > It might be simpler and almost as efficient to have
> > recently-successful heuristic dissectors bubble nearer to the top of
> > the list so they are tried sooner. Port/conversation lookups are
> > hash-tables for the most part and likely won't be made noticeably
> > faster by caching.
> 
> Wouldn't that expose us to the risk that the dissection actually changes 
> on the 2nd pass (because the call order of the heuristics changes)? 
> That would look pretty weird...
Yes it would. My memories are fuzzy (I did this stuff more than 5 years
ago) but 
1- you can sort heuristic dissectors by used/unused and keep the
relative order.
2 - after the first pass you can stop at the first unused dissector
3 - and/or saved in packet info a boolean for heuristic/non heuristic
dissector, it helps a lot for packets without leaf dissectors.
 
I think I also extended conversation semantic for not calling
heuristic_try in most cases.

Didier