Huge thanks to our Platinum Members Endace and LiveAction,
and our Silver Member Veeam, for supporting the Wireshark Foundation and project.

Wireshark-dev: Re: [Wireshark-dev] conversation_new() without a preceding find_conversation()

From: didier <dgautheron@xxxxxxxx>
Date: Wed, 10 Sep 2008 20:47:56 +0200
Hi,
Le mercredi 10 septembre 2008 ᅵ 08:16 +0200, Peter Johansson a ᅵcrit :
> 2008/9/10 Maynard, Chris <Christopher.Maynard@xxxxxxxxx>

> In the case of packet-bittorrent.c there should really be a call to
> find_conversation preceeding the call to conversation_new although I
> can see the reason for why the implementor did not do this (if there
> is some thought behind it and not just a slip).
>  
> Since the call to conversation_new is (only) part of the heuristic
> dissection, this means that packet-bittorrent attempts to find
> bittorrent traffic on (especially) other ports than the pre-defined
> ones. When such a port is found it is very unlikely that the 4-tuple
> that defines the connection (src and dest IP addresses and ports) will
> already have been seen by the dissector before. Hence, it is very
> unlikely that a second conversation_new would occur for the same
> 4-tuple that has been used in packet-bittorrent's conversation_new
> before, but not impossible of course.
>  
TCP dissector always creates a conversation...

A little OT but most dissectors do something like:

c = find_conversation(pinfo->fd->num, &pinfo->src, &pinfo->dst,
pinfo->ptype, pinfo->srcport, pinfo->destport, 0);

if (c == NULL)  {
   c = conversation_new(pinfo->fd->num, &pinfo->src, &pinfo->dst,
               pinfo->ptype, pinfo->srcport, pinfo->destport, 0);
}

Factorizing it in a new function:
c = get_packet_conversation(pinfo);
may help.

Didier