Wireshark · Wireshark-dev: [Wireshark-dev] Follow TCP stream - FTP protocol Export Object

["leonardocito@xxxxxxxxx" <leonardocito@xxxxxxxxx>]

I am implementing object export for the FTP protocol ( File-> Export Object -> FTP...).

I need to identify the last packet in the FTP-DATA stream for calling the function tap_queue_packet and send the object to the gui for display.

The ideal solution would be to compare the sum of accrued payloads with the file size. However this information is not provided in the headers.

I have thought of two possible strategies, none of wich is optimal:

1. use the dissector transfer speed and duration for estimanting the approximate file lenght; however thow would require matching the FTP-DATA conversation and the relevant 226 code response from the header and that is not so straight forward.
   
2. use the same approach used in the follow TCP Stream command. However it seems that feature is heavily based on applyng a display filter and seems to dependant on the gui.
3. If I could match each FTP packet to the TCP packet that transported, then I could do all the checks needed to establish if the connection is being closed. However I have not found a way to march FTP-DATA packets the relevant TCP packet.

What is the best way to proceed? Can somebody please help me?