Wireshark-dev: Re: [Wireshark-dev] Stateless Dissection
From: Joerg Mayer <jmayer@xxxxxxxxx>
Date: Mon, 23 Jun 2014 00:05:40 +0200
On Sun, Jun 22, 2014 at 05:07:19PM -0400, Evan Huus wrote:
> After Kurt's recent post I dug up an old patch I'd played with and cleaned
> it up a bit. It still needs some work (documentation at the very least) but
> [1] should add a -Z option to tshark which turns on "stateless" dissection.
> You lose reassembly and all that, but you should get no memory growth at
> all.
> 
> The implementation is a bit of a hack in that stateless dissection still
> does all the stateful work, it just throws it away after each packet (so
> stateless is actually slightly slower than stateful) but it seems to work
> in my simple tests.
> 
> Does this seem useful to people? Ideas for a better flag (Z just happened
> to be handy)? Other thoughts, comments, suggestions?

How about having the cake and eating it (at least partially)?
What I am thinking about is something like keeping state but only for the
last 1000 (insert your favourite number here) packets and only *then* throwing
it away. Or is this unrealistic?

Ciao
   Jörg
-- 
Joerg Mayer                                           <jmayer@xxxxxxxxx>
We are stuck with technology when what we really want is just stuff that
works. Some say that should read Microsoft instead of technology.