Hi
> Hi,
>
> Yes, I think you're on the right track here.
>
> Concerning the conversation search, I think you've a point. When searching for
> a conversation along the time axis, you shouldn't get the a conversation
> before the first one is established.
>
> I'm not aware if many dissectors use conversations that way and this is a
> corner case. That may be why it wasn't spotted before.
packet-rdt.c and packet-rdp.c, these two check p_conv->setup_frame.
And at leas packet-dtpt.c,packet-quake.c. But some of this code looks
suspicious to me ie call to conversation_new without a call to
find_conversation first.
> A simple fix for your code is to check the returned conversation frame number
> against the current frames' number and discard it when it's older. Of course
> that should be done by the search routine, for which a change will be
> committed later.
I think that if it's a tcp sub dissector you also have to use a
different type, not pinfo->ptype in find_conversation/conversation_new
or you'll get the conversation created by the TCP disssector or break
various tcp analysis.
Didier
