During a capture I came across a situation like that (A&A1 are correlated
and so are B&B1):
A B A1 B1
And A1 was dissected as if it were related to B.
As you suggested me I could redefine the notion of conversation but I'm
afraid it wouldn't work
in any case since there's no way for packet A1 to determine which
conversation it belongs to.
Then I thought:
What if I started only ONE conversation and associated to it a GHashtable
into which I'd insert
all the data structures I come across during a capture?
Are there any dissectors dealing with similar problems?
> Now, if the packets are sniffed in this order:
>
> A A1 B B1
...then, if they're between the same endpoint pair, the first conversation
finishes some time between A1 and B, so that could work.
> now, let's consider this scenario (even if improbabile is not
impossible)
>
> A B A1 B1
...in which case A and A1, and B and B1, must be between different
endpoint pairs, otherwise that doesn't fit the model of (transport-layer)
conversations and thus the conversation mechanism can't be used.
> When A1 is sniffed the returned conversation is B
If the returned conversation is B for the packet A1, then they must be
between indistinguishable endpoints, and thus the conversation mechanism
has no way of determining to which conversation A1 belongs.
> Are there any other ways of solving this problem?
You could define and implement a notion of a "conversation" different from
the transport-layer end-point oriented notion implemented by the current
conversation code, and use that instead.
_______________________________________________
Ethereal-dev mailing list
Ethereal-dev@xxxxxxxxxxxx
http://www.ethereal.com/mailman/listinfo/ethereal-dev
_________________________________________________________________
250MB per la tua casella di posta http://www.msn.it/hotmail/minisite_10
Trova immediatamente qualsiasi tipo di file.
