Wireshark-dev: Re: [Wireshark-dev] Conversations - addresses/ports, more general endpoints, and
From: Guy Harris <[email protected]>
Date: Sun, 6 Jan 2019 11:54:45 -0800
On Jan 6, 2019, at 10:30 AM, Jaap Keuter <[email protected]> wrote:

> Rather than simplistic endpoint ID’s I think we need an ID tuple per endpoint,

How is a tuple not itself an ID?

And not all conversations necessarily have specific endpoints.

> which may be combined with one (or more) other tuples representing single (and multipoint) connections.
> Examples are an aggregating tap/monitor port which monitors various VLANs, or an MPLS link. Or even closer to home, a multi port capture in a pcapng file, lets say of two ports of a switch or router. The conversations therein would need to be identified from the capture interface on up.

The intent here is to have a general concept of a "conversation", with no specification, at that layer, as to how a "conversation" is identified - think of it as an abstract base class - with subclasses that use different ways of identifying whether a packet belongs to a given conversation or not.  Multiple subclasses can share code for identifying that; TCP and UDP might share the "IP address and port" identification code.

(I"m not sure I like the name "conversation", but I'm not sure I like "flow" as that strikes me as half of a conversation going in only one direction, and I'm not sure what other name would be good for that broad a concept.)