Wireshark-dev: Re: [Wireshark-dev] Conversations - addresses/ports, more general endpoints, and
From: Luke Mewburn <[email protected]>
Date: Sun, 6 Jan 2019 11:04:03 +1100
[attempting a resend, 13 months later]

On Sat, Oct 28, 2017 at 08:12:53PM -0700, Guy Harris wrote:
  | Michael Mann is looking at generalizing conversations to handle
  | arbitrary endpoints, presumably not necessarily in the form of an
  | AT_ address plus a PT_ numeric port ID.
  | [...]
  | Some thoughts that come to mind:
  | 1) While we're generalizing conversations, should we have a
  | "superclass" that includes both endpoint-labeled conversations and
  | ID-labeled circuits, so that they can offer common services to
  | dissectors?
  | 2) Can we use conversations/circuits elsewhere, e.g. in the
  | conversations and endpoints UI functions?
  | 3) Would it be useful to add to the "Dissect As..." mechanisms the
  | ability to say, from the UI, "dissect the conversation/circuit to
  | which this packet belongs as...", rather than just "dissect this
  | {packet type, transport-layer port} as..."?
  | 4) Can we further generalize conversations/circuits to include, for
  | example, multiple endpoint pairs/circuit IDs, so that, for example,
  | an NFSv2 or NFSv3 "conversation" would include NFS traffic, NLM
  | (lock manager) traffic, and mount protocol traffic?

Another conversation type to consider refactoring to a more general
framework is TCAP transactions. TCAP currently uses its own
conversation matching, enabled with obscure TCAP preferences
(as "Service Time Analysis" and "Persistent stats for SRT").
As such, currently TCAP doesn't benefit from some of the
fancier conversation display support that other protocols support.

There's been a few bugs & fixes over the years for the TCAP (+SCCP)
transaction matching (I've fixed a couple myself), including:
 - https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=10841
 - https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=13739
 - https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=13926

(Unfortunately I was behind on my email and wasn't around to
contribute to the discussion of the fixes 13739 and 13926).

The conversation endpoint identifier for TCAP could still
be the relevant SCCP GT + TCAP TID, with provision
for changing GT in the first TCAP CONTINUE as part of
the TCAP "dialogue confirmation".

A complication is SCCP global title translation (GTT) where
the packets contain a slightly different GT in subsequent packets
_unrelated_ to dialogue confirmation, possibly changing the GT
of the original calling party mid-transaction!
E.g., the addition of trailing digits to the GTs.
This is difficult to implement without external configuration and
knowledge of the network behaviour. Possibly solved with a preference
table of GTs to translation, or even a lua function, for those that
need this.

There's been a few discussions in the comments in those tickets
(and others?) that describe the TCAP behaviour, and I'm happy to
move a discussion of the specifics to another thread.

Luke Mewburn.