Wireshark-dev: Re: [Wireshark-dev] Should payload dissectors' (RTP) packets depend on call-setu
From: Jeff Morriss <jeff.morriss.ws@xxxxxxxxx>
Date: Mon, 04 Jun 2012 17:02:13 -0400
Andreas Sikkema wrote:
On 6/1/12 22:42 , Gerald Combs wrote:
On 6/1/12 1:15 PM, Jeff Morriss wrote:
Though I am nervous about this whole packet-dependency thing causing
users to say "I filtered on RTP and you saved my SIP too!"
A few months ago I talked to someone who complained that Wireshark
*didn't* do that. In his case it would've been useful to see related
ARPs when filtering down to a TCP stream.


Yes, but where does one stop going down that route? For RTP initiated by
SIP one might want to be able to save the related SIP messages. For RTP
initiated by H.323 it already needs H.225 and H.245, for some of the
UMTS/3G protocols there's probably loads more involved. If you want
context for a call IMHO it is up to the user to provide the context
using capture/display filters. Not all context can be provided by
conversations.

Yeah, this example had me thinking the same thing. Certainly I would never have considered TCP bringing in ARP, but I can see how a user might expect/want it. Maybe it's better to leave them with the current "be careful what you filter out!" behavior.