Wireshark

  • Riverbed Technology
  • WinPcap
the world's foremost network protocol analyzer
  • Wireshark
    • About
    • Download
    • Blog
  • Get Help
    • Ask a Question
    • FAQs
    • Documentation
    • Mailing Lists
    • Online Tools
    • Wiki
    • Bug Tracker
  • Develop
    • Get Involved
    • Developer's Guide
    • Browse the Code
    • Latest Builds

Wireshark-dev: Re: [Wireshark-dev] conversation_new() without a preceding find_conversation()

Date Index Thread Index Other Months All Mailing Lists
Date Prev Date Next Thread Prev Thread Next


From: "Peter Johansson" <peterjohansson73@xxxxxxxxx>
Date: Wed, 10 Sep 2008 08:16:49 +0200

2008/9/10 Maynard, Chris <Christopher.Maynard@xxxxxxxxx>
Should we ever see instances where conversation_new() is called without
a preceding find_conversation()?

I have found 3 such dissectors, and the code seems suspicious to me.
The 3 are:
packet-bittorrent.c
packet-dtpt.c
packet-quake.c

- Chris

In the case of packet-bittorrent.c there should really be a call to find_conversation preceeding the call to conversation_new although I can see the reason for why the implementor did not do this (if there is some thought behind it and not just a slip).
 
Since the call to conversation_new is (only) part of the heuristic dissection, this means that packet-bittorrent attempts to find bittorrent traffic on (especially) other ports than the pre-defined ones. When such a port is found it is very unlikely that the 4-tuple that defines the connection (src and dest IP addresses and ports) will already have been seen by the dissector before. Hence, it is very unlikely that a second conversation_new would occur for the same 4-tuple that has been used in packet-bittorrent's conversation_new before, but not impossible of course.
 
 
There should definately be a call to find_conversation preceeding the call to conversation_new in packet-quake.c.
 
Regards, Peter
  • Follow-Ups:
    • Re: [Wireshark-dev] conversation_new() without a preceding find_conversation()
      • From: didier
  • References:
    • [Wireshark-dev] conversation_new() without a preceding find_conversation()
      • From: Maynard, Chris
  • Prev by Date: [Wireshark-dev] conversation_new() without a preceding find_conversation()
  • Next by Date: Re: [Wireshark-dev] Problem with IntelĀ® Wireless WiF i Link 4965AGN card
  • Previous by thread: [Wireshark-dev] conversation_new() without a preceding find_conversation()
  • Next by thread: Re: [Wireshark-dev] conversation_new() without a preceding find_conversation()
  • Index(es):
    • Date
    • Thread

Wireshark and the "fin" logo are registered trademarks of the Wireshark Foundation