Wireshark mailing list archives
Conversations - addresses/ports, more general endpoints, and "circuits" with their own IDs
From: Guy Harris <guy () alum mit edu>
Date: Sat, 28 Oct 2017 20:12:53 -0700
Michael Mann is looking at generalizing conversations to handle arbitrary endpoints, presumably not necessarily in the form of an AT_ address plus a PT_ numeric port ID. We also have the notion of "circuits", which are like conversations except that they're identified by a single "circuit ID" rather than by endpoints; the circuit types currently supported are CT_DLCI, /* Frame Relay DLCI */ CT_ISDN, /* ISDN channel number */ CT_X25, /* X.25 logical channel number */ CT_ISUP, /* ISDN User Part CIC */ CT_IAX2, /* IAX2 call id */ CT_H223, /* H.223 logical channel number */ CT_BICC, /* BICC Circuit identifier */ CT_DVBCI, /* DVB-CI session number|transport connection id */ and there's also CT_ISO14443 /* ISO14443 connection between terminal and card the circuit ID is always 0, there's only one such connection */ but presumably there's only one such circuit per capture, and there's a comment noting that an ATM VPI/VCI pair could also be a circuit ID. The conversation and circuit structures are used to hold: starting and ending frame numbers (mainly used when testing whether a packet is or isn't in a conversation/circuit, I think); state data dissectors keep for a given conversation/session; a "next dissector" for the protocol for the conversation type, so a dissector can say "dissect everything in this conversation as XXX". Some thoughts that come to mind: 1) While we're generalizing conversations, should we have a "superclass" that includes both endpoint-labeled conversations and ID-labeled circuits, so that they can offer common services to dissectors? 2) Can we use conversations/circuits elsewhere, e.g. in the conversations and endpoints UI functions? 3) Would it be useful to add to the "Dissect As..." mechanisms the ability to say, from the UI, "dissect the conversation/circuit to which this packet belongs as...", rather than just "dissect this {packet type, transport-layer port} as..."? 4) Can we further generalize conversations/circuits to include, for example, multiple endpoint pairs/circuit IDs, so that, for example, an NFSv2 or NFSv3 "conversation" would include NFS traffic, NLM (lock manager) traffic, and mount protocol traffic? ___________________________________________________________________________ Sent via: Wireshark-dev mailing list <wireshark-dev () wireshark org> Archives: https://www.wireshark.org/lists/wireshark-dev Unsubscribe: https://www.wireshark.org/mailman/options/wireshark-dev mailto:wireshark-dev-request () wireshark org?subject=unsubscribe
Current thread:
- Conversations - addresses/ports, more general endpoints, and "circuits" with their own IDs Guy Harris (Oct 28)