> > * Is it feasible to redissect just a part of the packets, with only > > the file > > offset of each packet known? > > No. > > It *is* feasible to do so with the "frame_data" structure, however. >
So, from within the tap routine i would have to make a copy of *(pinfo->fd) and store that? > You'd need to duplicate what "redissect_packets()" does, but only have > it dissect the packets in that list, and somehow arrange that only the > RTP tap be called. Ok, but there is another problem: Packet dissectors will call those col_XXX_str functions for constructing the entries of the packet CList. But actually the dissectors shouldn't do anything regarding the packet CList, they should just build the protocol tree and call their subdissectors. The problem could possibly be handled by setting a global redissection mode, where in mode "PROTOCOL_TREE_ONLY", the col_XXX_str functions would return immediately, doing nothing. Any other solution? > > * Alternatively, only offsets to the RTP data itself (i.e. UDP payload) > > could be stored in the list and the rtp_analysis would work directly > > with > > these, instead of using the tap mechanism. (i.e. packets will not be > > redissected at all) *snip* > I would not recommend that approach. Do you mean only the last alternative or the entire idea of speeding up RTP analysis? Lars.
