Huge thanks to our Platinum Members Endace and LiveAction,
and our Silver Member Veeam, for supporting the Wireshark Foundation and project.

Wireshark-dev: Re: [Wireshark-dev] Global conversation

From: Anders Broman <a.broman@xxxxxxxxxxxx>
Date: Fri, 07 Oct 2011 18:31:53 +0200
Anders Broman skrev 2011-10-07 18:10:
Mike Morrin skrev 2011-10-07 17:48:

-----Original Message-----
From: wireshark-dev-bounces@xxxxxxxxxxxxx
[mailto:wireshark-dev-bounces@xxxxxxxxxxxxx] On Behalf Of Stephen Fisher
Sent: 07 October 2011 16:32
To: Developer support list for Wireshark
Subject: Re: [Wireshark-dev] Global conversation

On Fri, Oct 07, 2011 at 02:51:35PM +0200, Anders Broman wrote:

Perhaps it could be done if we had a Global conversation to which you
cold add a List of per protocol conversations.
We could create a new set of conversation functions, such as:

    global_conversation_new()
    global_find_conversation()
    global_conversation_add_proto_data()

(Although using "global" makes them a bit long)

One problem is to make it generic enough and in this particular
scenario the subscriber number or similar would be the thing gluing
the conversations together and that would only be Available in some
messages. Another problem is when to create the global conversation
e.g. what is the start.
<Using a unique piece of information, such as the phone number, would
<allow each dissector that is capable of working with that global
<Conversation to look up if it has already been created.  Perhaps two
<pieces of informatino would be needed: a type of information and the
<information, e.g. PHONE_NUMBER and "+11111111111" or something more
<generic like passing a string "phone-number" and then the number
itself.
<It sounds like a good idea, but would just need a few decisions to be
<made first.

I think that it should be a bit more flexible:
* Have conversations per protocol, with 1 or more identifier keys.
* When a new identifier is observed, if it can be associated with an
existing conversation which was created with a different key, then add
the new key to the existing conversation, otherwise create a new
conversation with the new key.
* Allow conversations to be associated with conversations in other
protocols.  The set of associated conversations becomes the global
conversation, but is flexible in terms of the sequence of build-up of
supporting protocols.
* A dissector can use a protocol/key pair to find a potentially
associated conversion already existing in another protocol.
* A dissector can access the set of keys for any protocol in an
associated conversation
Something like that is what I was thinking about.
/Anders

How a bout something like

 * proto_conv_new(proto ,key(s))
Check if global/top/main conversation exist by matching the key with other protocols using that key. ( string key looking in a (hash)table of strings finding list of proto_conv ?)
    if not create it and create the proto_conv.
   Return proto_conv and possible top_conv

 * proto_conv_add_key(proto, key(s));
if a new key has turned up in the conversation look if there are matching proto_convs with a
   different top_conv if true join them.

I'm sure there are many pitfall here and with phone call as an example what if two consecutive calls are made how to differentiate between them. Another mater is performance and memory consumption.

Regards
Anders





This message contains confidential information and may be privileged. If you are not the intended recipient, please notify the sender and delete the message immediately.

ip.access Ltd, registration number 3400157, Building 2020,
Cambourne Business Park, Cambourne, Cambridge CB23 6DW, United Kingdom
___________________________________________________________________________
Sent via:    Wireshark-dev mailing list<wireshark-dev@xxxxxxxxxxxxx>
Archives:    http://www.wireshark.org/lists/wireshark-dev
Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev
mailto:wireshark-dev-request@xxxxxxxxxxxxx?subject=unsubscribe


___________________________________________________________________________
Sent via:    Wireshark-dev mailing list <wireshark-dev@xxxxxxxxxxxxx>
Archives:    http://www.wireshark.org/lists/wireshark-dev
Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev
mailto:wireshark-dev-request@xxxxxxxxxxxxx?subject=unsubscribe