Wireshark · Wireshark-dev: Re: [Wireshark-dev] Conversation tracking

[Jeff Morriss <jeff.morriss.ws@xxxxxxxxx>]

Tobias Weiss wrote:
> Right now I'm puzzled: I wanted to use conversation tracking in order to 
> save information about the state of the communication across packet 
> dissection.
>
> The dissector is called completely out of order (which is reasonable) 
> but I get always the same conversation, even when dissecting an older 
> packet than the last one. So saving the state of the communication is 
> completely pointless if the same conversation is used for dissecting 
> random packets. Here is an example just in case you don't understand my 
> possibly weird English ;-)
>
> I have a stream of 10 packets and something interesting was send in 
> packet number 3. Now I want to save this information in the 
> conversations data in order to reuse it when dissecting future packets. 
> But the dissector is called randomly (which is ok) but always with the 
> same conversation (which is absolutely not ok in this case).
>
> I simply cannot rely on the saved information. So how am I supposed to 
> use conversation tracking in a sane way (as far as I can see I can't 
> _track_ anything)???

Conversations are used to store information some kind of data about a 
given "conversation"--typically all messages that share a given source 
IP+port and destination IP+port.  If you want that information to 
include *state* then you need to track that yourself.

So if you get interesting information in frame 3 and only want to apply 
that frames after 3, store the number 3 in your conversation data and 
compare it to the current frame number before applying that knowledge to 
the current frame.