Ethereal-dev: RE: [Ethereal-dev] Flow graph functionality

Note: This archive is from the project's previous web site, ethereal.com. This list is no longer active.

From: "Francisco Alcoba (TS/EEM)" <francisco.alcoba@xxxxxxxxxxxx>
Date: Fri, 22 Jul 2005 08:11:23 +0200
>>>  in the case of a loopback packet it happens to be the same port too.
>> 
>>  In this particular case, it uses ports 5060 and 5061. So the previous idea
>> should work in this case.

>>  Ok, when ip and port is the same, we can use a DOT line.
>>  Just for curiosity, are these two cases "normal"? for me looks it should
>> only happen in a dev environment.

>As far as calls go the only calls I'm aware of  that use signalling
>and involve a single node happen in labs (BTW a protocol analyzer is
>very useful in the lab too!). But in applications of Francisco's  Flow
>Graph  dialog (that uses graph_analysis too) that can happen often.

I'm afraid I'm a bit lost here, but just in case I understood it correctly...
If the "previous idea" refers to having two different columns for the same IP
with different ports, then I don't think that would be useful. The whole point
of the graph is seeing the packets moving through the network, so I would like
to know -in either Voip calls or the general flow graph- when a packet is sent
from a node that has received another one, and this might be using a different
port. For instance, in a SIP call, I might have:

             Proxy
------->(5060) |
INVITE         |
               |
               | (7777)-------->
               | INVITE

The same goes for the general, for instance for a box that receives a DNS answer
that solves a domain name and then sends HTTP traffic there, a NAT translation, etc.

If those are different columns then it makes more difficult to realize what is 
happening. And if there is some packet in the middle that cause them to be 
a few columns apart then it is almost impossible:

             Proxy          Some other           Proxy
------->(5060) |                 |                  |
INVITE         |                 |                  |
               |                 |                  |
               |                 |(333)---------------------------->
               |                 |               WHATEVER
               |                 |                  |
               |                 |                  |(7777)-------->
               |                 |                  |INVITE


I wonder if something like this might be done -my understanding of GTK is null-:

Sender            Proxy           Receiver
    |------->(5060) |                |
    |INVITE         |                |
    |               |                |
    |       (5060)---->(7777)        |
    |            INVITE              |
    |               |                |
    |               | (7777)-------->|
    |               | INVITE         |

It would work for either same or different port/transport, for both directions,
and the visual perception would be kept. For the ASCII dump I don't think it would 
be difficult, but the graph is out of my reach.

Regards,
 Francisco