Wireshark-dev: Re: [Wireshark-dev] What ftypes are "compatible" enough for duplicate fields?
Date Index · Thread Index · Other Months · All Mailing Lists
Date Prev · Date Next · Thread Prev · Thread Next
From: Guy Harris <guy@xxxxxxxxxxxx>
Date: Fri, 21 Feb 2014 15:27:42 -0800
On Feb 21, 2014, at 11:43 AM, Hadriel Kaplan <hadriel.kaplan@xxxxxxxxxx> wrote:

> A different question though is why FT_UINT64 isn't in the same group as the other FT_UINT* ones.

Because Wireshark was developed in an era where the majority of platforms on which it ran were 32-bit, so we made the integral types 32-bit (not all C compilers, at the time, supported 64-bit integral data types on 32-bit platforms), and later added 64-bit integral types - and we were probably thinking with a 32-bit mindset when we did that, as I think that predated x86-64, so the majority of platforms, at least by "number of seats" rather than by counting each ISA, in both its 32-bit and 64-bit versions, as a platform, were probably still 32-bit.

The "value" union member of a "struct fvalue" is a union of a number of types, the biggest of which are, on an ILP32 system, 128 bits (IPv6 address, GUID), so it's not as if representing all integral values as 64-bit would increase the memory usage of protocol trees.

It might increase memory bandwidth usage (but, with caches in the way, maybe not), and might lengthen code paths a bit, but I don't know how big of a hit that'd be.

It might be interesting to try, for example, running a huge capture file through TShark with separate union members for up-to-32-bit and 64-bit integral values, on a system with a 32-bit processor, and see whether it makes a difference worth caring about.  If not, we might want to consider storing all integral values as 64-bit, and having FT_{U}INT64 in the same groups as the other FT_{u}INTn types.

> Also, what about FT_NONE?  Lots of current duplicate fields have one of the duplicates as FT_NONE - why I don't know, but I don't think that breaks filtering input.

If foo.bar is of type FT_UINTn, you could do "foo.bar == 17"; I'm not sure you can do anything with an FT_NONE field other than test for its existence (if you want to compare it with something, make it FT_BYTES).

So I'm not sure what it'd mean if a dissector had both FT_something and FT_NONE versions of a field.