> I know this is an unusual setup...
I.e., this isn't an issue of how this functions "on a trace that does a
router hop", it's a function of how this functions if a particular LAN
segment contains two subnets *and* you can't convince two machines on
the same LAN segment (as indicated by the fact that the machine running
the sniffer program sees the packet twice) that they don't need to go
through a router to talk to each other. Most traces that involve a
router hop involve multiple network segments.
> To eliminate this situation and make the sniffer see two copies of the
> same conversation, not one conversation with two copies of every packet,
> you would have to consider both DLC (layer 2) and IP (layer 3) addresses
> in the conversation hash.
If there are two copies of the same packet in a network trace, many
packet analyzers - including Ethereal - may mishandle the trace for
*other* reasons.
Given that, I'm not particularly inclined to teach the conversation code
to worry about this specialized situation - especially if doing so would
cause it to think that a conversation where some of the traffic goes
through one router and some of the traffic goes through another router,
perhaps because the first router crashes and traffic gets redirected
through another router, was two conversations.
