On Sat, Nov 13, 1999 at 03:50:43PM -0800, Guy Harris wrote:
> > (It *might* be possible to evaluate the expression as the dissection is
> > done, doing all the dissection work for a particular field only if that
> > field actually appears in a plugin's filter expression. Doing that
> > might also let us speed up display filtering, display searching, and
> > display coloring - the only time you need *all* the fields is when
> > you're building the detail view for display or printing.)
>
> Or, as an alternative, we could handle expressions that do an equality
> comparison on certain fields specially - have a "proto.c" routine that
> can check whether a dfilter expression checks if a particular field
> (specified by its name, or by its index) is equal to a constant and, if
> so, returns the constant, and, if the expression is, say "tcp.port ==
> 666", we could just have TCP check for that port number (by checking in
> a list, or looking it up in a hash table, or...).
Before calling dissect_packet(), we could fill an array of booleans,
indicating which protocols the display filter expression needs. Inside
each dissector, much like the 'if (tree)' check, the dissector could
check to see if we're looking for the detailed decode of that protocol,
and if not, call the next dissector:
dissector_xxx()
{
.... dissect a little bit ...
if (tree && proto_decode_needed(hf_xxx)) {
...decode more...
}
if such-and-such
dissect_yyy()
else
dissect_data()
}
Of course, more work is needed if you want finer granularity.
--gilbert
