Per Richard Sharpe
> At 07:52 AM 9/22/00 -0500, Frank Singleton wrote:
>
> >I generally capture all, then run dispaly filters , or sometimes
> >I use display filters while capturing.
> >
> >Can I still do this if I implement conversations, according to the
> >above comments. Or is there something else more applicable.
> The approach that I think has to be taken is the following:
>
> 1. The initial pass through the packets uses a conversation to
> accumulate all the info it needs during subsequent passes.
>
> 2. For each packet during the initial pass, save any info in per
> packet data that cannot be easily re-computed, or which depends on
> previous packets. This is required when the user jumps all over
> the place.
>
> 3. On subsequent access to packets, check for per-packet/frame data
> first and use that if it exists, else use what is in the
> conversation and what you can dissect.
>
> 4. If a rescan occurs, it does not matter, because the conversation
> stuff is blown away, as is the per-frame data, so you start over
> again as if it were the first time.
Excellent advice. The only thing I would add is to use the
frame_data flags.visited to see if this is the initial pass and
the packet hasn't been dissected yet.
Jeff Foster
jfoste@xxxxxxxxxxxx
