Re: Conversations across interfaces

[Guy Harris <guy () alum mit edu>]

On Oct 24, 2012, at 9:54 AM, "Kaivaram, Pavan" <pavank () qti qualcomm com> wrote:

> I am using pcapng format to store data from my modem. Modem supports two interfaces (PPP/IP) and I am using two IDB 
> sections in pcapng to represent this. However both interfaces have the same IP as seen from TCP and higher layers and 
> they don’t exist at the same time.

I.e., this is some flavor of teaming (PPP Multilink, etc.)?
>  
> When I generate conversations statistics from ethereal

(Presumably meaning "Wireshark", as pcap-NG support was added after the name changed from Ethereal to Wireshark.)

> for a particular TCP flow which started on Interface 1 and ended on Interface 2 it shows up as two separate flows in 
> conversation statistics with same ip:port pairs.

So you have a single pcap-ng file, with two interfaces, and with packets between {ip1:port2} and {ip2:port2} on both 
interfaces, and the conversation statistics show two separate conversations?

The conversation code shouldn't even know that the packets are on different interfaces, so that sounds like a bug; 
could you file a bug on that and attach one of the network traces so we can try to debug it?
___________________________________________________________________________
Sent via:    Wireshark-users mailing list <wireshark-users () wireshark org>
Archives:    http://www.wireshark.org/lists/wireshark-users
Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
             mailto:wireshark-users-request () wireshark org?subject=unsubscribe