Wireshark mailing list archives
Re: Conversations - addresses/ports, more general endpoints, and "circuits" with their own IDs
From: Luke Mewburn <luke () mewburn net>
Date: Sun, 6 Jan 2019 11:04:03 +1100
[attempting a resend, 13 months later] On Sat, Oct 28, 2017 at 08:12:53PM -0700, Guy Harris wrote: | Michael Mann is looking at generalizing conversations to handle | arbitrary endpoints, presumably not necessarily in the form of an | AT_ address plus a PT_ numeric port ID. | | [...] | | Some thoughts that come to mind: | | 1) While we're generalizing conversations, should we have a | "superclass" that includes both endpoint-labeled conversations and | ID-labeled circuits, so that they can offer common services to | dissectors? | | 2) Can we use conversations/circuits elsewhere, e.g. in the | conversations and endpoints UI functions? | | 3) Would it be useful to add to the "Dissect As..." mechanisms the | ability to say, from the UI, "dissect the conversation/circuit to | which this packet belongs as...", rather than just "dissect this | {packet type, transport-layer port} as..."? | | 4) Can we further generalize conversations/circuits to include, for | example, multiple endpoint pairs/circuit IDs, so that, for example, | an NFSv2 or NFSv3 "conversation" would include NFS traffic, NLM | (lock manager) traffic, and mount protocol traffic? Another conversation type to consider refactoring to a more general framework is TCAP transactions. TCAP currently uses its own conversation matching, enabled with obscure TCAP preferences (as "Service Time Analysis" and "Persistent stats for SRT"). As such, currently TCAP doesn't benefit from some of the fancier conversation display support that other protocols support. There's been a few bugs & fixes over the years for the TCAP (+SCCP) transaction matching (I've fixed a couple myself), including: - https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=10841 - https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=13739 - https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=13926 (Unfortunately I was behind on my email and wasn't around to contribute to the discussion of the fixes 13739 and 13926). The conversation endpoint identifier for TCAP could still be the relevant SCCP GT + TCAP TID, with provision for changing GT in the first TCAP CONTINUE as part of the TCAP "dialogue confirmation". A complication is SCCP global title translation (GTT) where the packets contain a slightly different GT in subsequent packets _unrelated_ to dialogue confirmation, possibly changing the GT of the original calling party mid-transaction! E.g., the addition of trailing digits to the GTs. This is difficult to implement without external configuration and knowledge of the network behaviour. Possibly solved with a preference table of GTs to translation, or even a lua function, for those that need this. There's been a few discussions in the comments in those tickets (and others?) that describe the TCAP behaviour, and I'm happy to move a discussion of the specifics to another thread. regards, Luke Mewburn. ___________________________________________________________________________ Sent via: Wireshark-dev mailing list <wireshark-dev () wireshark org> Archives: https://www.wireshark.org/lists/wireshark-dev Unsubscribe: https://www.wireshark.org/mailman/options/wireshark-dev mailto:wireshark-dev-request () wireshark org?subject=unsubscribe
Current thread:
- Re: Conversations - addresses/ports, more general endpoints, and "circuits" with their own IDs Luke Mewburn (Jan 05)
- <Possible follow-ups>
- Re: Conversations - addresses/ports, more general endpoints, and "circuits" with their own IDs Luke Mewburn (Jan 05)
- Re: Conversations - addresses/ports, more general endpoints, and "circuits" with their own IDs Roland Knall (Jan 06)
- Re: Conversations - addresses/ports, more general endpoints, and "circuits" with their own IDs Jaap Keuter (Jan 06)
- Re: Conversations - addresses/ports, more general endpoints, and "circuits" with their own IDs Guy Harris (Jan 06)
- Re: Conversations - addresses/ports, more general endpoints, and "circuits" with their own IDs Jaap Keuter (Jan 07)
- Re: Conversations - addresses/ports, more general endpoints, and "circuits" with their own IDs Guy Harris (Jan 07)
- Re: Conversations - addresses/ports, more general endpoints, and "circuits" with their own IDs Roland Knall (Jan 06)