According to Wireshark 4's NEWS text file, "Packet list sorting has been improved."
I beg to differ and would like to see this "improvement" changed.
Here's the full text from NEWS:
Packet list sorting has been improved:
• When sorting packet list with a filter applied, only the
visible packets are sorted, which greatly increases sorting
speed.
• The cache size for column text is limited to a default of
10000 rows, which limits the maximum memory usage. The maximum
value can be changed in Preferences→Appearance→Layout
• Due to the above, columns that require packet dissection can
only be sorted if the number of visible rows is less than the
cache size. If there are more rows visible, a warning will
appear. Columns that do not require packet dissection (those that
are calculated directly from the capture file frame headers, such as
packet number, time, and frame length) can be sorted with any
number of visible rows.
A GOOD CHANGE
• When sorting packet list with a filter applied, only the
visible packets are sorted, which greatly increases sorting
speed.
This makes perfect sense and makes one wonder why we would have sorted the non-displayed packets previously.
A NOT-SO-GOOD CHANGE
• The cache size for column text is limited to a default of
10000 rows, which limits the maximum memory usage. The maximum
value can be changed in Preferences→Appearance→Layout
What? 10,000 rows (e.g., 10,000 visible packets)? My traces/examinations have 10,000 rows frequently. "But why don't you filter, Laura - then you don't have as many packets to review." Well, filtering has it's place certainly, but when I'm trying to pull the largest and the smallest advertized window size when a client loads a remote web site - I'll just add and sort that column. Boom. Done. If I want to separate out the TCP conversations based on the TCP Conversations Flags, I will just add and sort that column. Boom. Done.
I've stumbled across this change daily, and I think this value is way too low - in addition, I think this setting should be set once for Wireshark, not individually for each profile.
Now, one of my first changes to make for every new profile (besides adding my UDP/TCP Stream Index column) is to bump up this setting in Preferences | Appearance | Layout.
IT COULD BE WORSE
• Due to the above, columns that require packet dissection can
only be sorted if the number of visible rows is less than the
cache size. If there are more rows visible, a warning will
appear. Columns that do not require packet dissection (those that
are calculated directly from the capture file frame headers, such as
packet number, time, and frame length) can be sorted with any
number of visible rows.
At least not every column is affected by this change to sorting the Packet List pane. Thank goodness for small favors, eh?
I increase my cached rows to 50,000 to start. What do you think? Do you think this was a good/bad/ok change to Wireshark?
Enjoy!