I have a small pcap with just one packet in it. I also have a Lua dissector that analyzes the protocol used in the packet. There is a line of debug info in the dissector. The debug info should only be output once if the packet is analyzed once. To my surprise, when I click on the pcap in Wireshark, the debug info is output multiple times. In Mac it is output 18 times, and in Windows, it is output 3 times. Why is this? asked 01 Apr '14, 07:58  YXI |
One Answer:
First the entire file is read is read in sequence then packets are read "by the GUI" to display them. If a packet is "clicked" it will be re-read if the packet list is scrolled the packet the packets that becomes vissible will be re-read. Why the MAC (Qt?) version reads them 18 times I don't know.(There is a bug report about that.) answered 01 Apr '14, 09:13  Anders ♦ |
don't they claim to have the better (best) system? So, I guess they do everything better than windows, even analyzing a frame in Wireshark. And what is better than 3 times? Of course: 18 times ;-))
But it only takes the Mac the same time to analyze it 18 times, as it takes Windows to analyze it 3 times. ;)
dammit .....
What about Linux? I bet those smart guys can make in one shot and less than half the time, it takes to boil an egg in the center of the sun.