Title: Filtering conversations within one connection
How can I filter in my plugin on a "conversation" within one client<=>host connection?
I have a plugin for our protocol-over-TCP/IP. I have one socket open between the client and the host. The socket supports multiple sessions. When there is data I have a header where I can see that the data is e.g. "Session == 1234". So for any frame with data I know the session. When the frame is just a [SYN|FIN], ACK then I don't have data. I need to associate those [SYN|FIN], ACK etc. frames with the correct session to see if ACKs are missing, etc.
If I follow the tcp.nxtseq number or tcp.ack then I can walk the frames but it leads me in and out of "sessions". I believe I need to walk the frames, note which of my "sessions" goes with a particular tcp.ack and add virtual data to that tcp.ack TCP/IP frame so I'll know later with what "session" it is associated. Then I can just filter on "session == 1234" and all the data and control frames will be displayed.
Is this the best method? Do I use the conversation routines? The developer documentation talks "of" them but not enough "about" how to use them. It also says “a conversation is defined as a series of data packet between two address:port combinations”, whereas my “conversations” are within the two address:port combinations. Where can I learn the right way? How can I be sure to parse the data once to add the virtual data and not add it every time a new filter is applied or cleared?
Thank you,
Jay
