On Mon, Oct 15, 2007 at 11:21:23PM +0200, Ulf Lamping wrote:
> > An analogous situation is the headers included in ICMP error responses. The
> > ICMP dissector also calls the ip dissector. For ICMP this is less of an
> > issue since even if TCP headers were included in an ICMP error the packet
> > would be colored black in either case.
> > For sFlow it is normal operation to include headers. Having packets marked
> > black that are 100% normal seems wrong. The only reason the packets are
> > black is that the sequence numbers in the sampled headers don't happen to
> > sync up with anything else.
> I'm not an expert on sflow/TCP/UDP to get an idea about it.
> However, this sounds a lot like the TCP/UDP dissectors should (somehow)
> prevent this situation - and not the coloring rules.
Actually the TCP/UDP dissectors do prevent this situation. The icmp
dissector (which is actually in epan/dissectors/packet-ip.c) sets the
flag "pinfo->in_error_pkt" when it is calling a subdissector like TCP
or UDP. The sFlow dissector could do the same. Have a look at all the
lines containing "in_error_pkt" in "epan/dissectors/packet-ip.c" to
get an idea on how to use this flag.