Wireshark · Wireshark-dev: Re: [Wireshark-dev] Should payload dissectors' (RTP) packets depend on call-setup dissectors' (SIP)

[Jeff Morriss <jeff.morriss.ws@xxxxxxxxx>]

Richard Sharpe wrote:
> On Fri, Jun 1, 2012 at 11:44 AM, Jeff Morriss <jeff.morriss.ws@xxxxxxxxx> wrote:
>> One of the more frequently asked questions/reported bugs is users filtering
>> for RTP, saving^W exporting those displayed packets, then opening the new
>> capture file only to find plain UDP.  This is because the call-setup
>> protocol (e.g., SIP) wasn't included in the display filter.
>>
>> Now we have the ability to mark frames as dependent on others.  Should, for
>> example, RTP frames mark the call-setup frames as dependencies?  (I noticed
>> that RTP has a Setup Frame field; would one frame really be enough?)
> 
> An alternative, but more radical approach, might be to export the
> state that is needed to correctly dissect the packets.
> 
> We could lobby for an additional application-specific state record in
> pcap-ng or an application-specific option field. The state could be an
> asn.1 encoded blob, or whatever.

True.  But I like the idea of adding ~1 line of code to the RTP
dissector and making all those questions go away.

Though I am nervous about this whole packet-dependency thing causing
users to say "I filtered on RTP and you saved my SIP too!"