The following patches try to optimize Wireshark a little.
But how fast can Wireshark run?
A small test:
- With all names resolution disable and colorization enable load a 'big' capture.
- Disable colorization and reload, faster isn't it?
- Remove all columns but the first and reload.
- Last but not least disable all protocols and reload.
A faster Wireshark is easy: don't filter packets, don't display and don't decode them.
What's in the patches?
I assume that Wireshark dissectors output is idempotent so:
- Colorize (apply colors filter) only once.
- Compute columns info only once by using a modified Gtk2 ethclist for the packets list.
keep a per packet protocols list and when filtering only decode relevant packets/protocols ex:
In a SMB capture:
packet 1 Protocols in frame: eth:ip:tcp
packet 2 Protocols in frame: eth:ip:tcp:nbss:smb
The filter smb.file == "foo" will not decode packet 1 at all and in packet 2 eth, ip, tcp and nbss dissectors will be called with tree == NULL.
On my computer with no names resolution enable for: wiki SMB netbench sample
- load 10 times faster.
popup menu 'conversation filter -> TCP' 10 times faster (return all packets).
filter "smb.file == "\\clients\\client2" 15 times faster (return 3 packets).
filter arp return 0 packets in zero second.
filter smb || udp return 10086 packets in 50 ms.
- Capture if compiled for gtk2 with thread enable (but does it work with the svn version?).
- Some stats because they always set a tap listener.
- many others I don't know.
Recent version but only for uncompressed files and may work only on Linux: patch.29854.diff.gz
Patch against svn (version in file name): patch.29079.diff.gz
Modified SAT solver cf. http://wiki.wireshark.org/Development/FastFiltering sat.29079.diff.gz