On Oct 24, 2012, at 9:54 AM, "Kaivaram, Pavan" <pavank@xxxxxxxxxxxxxxxx> wrote:
> I am using pcapng format to store data from my modem. Modem supports two interfaces (PPP/IP) and I am using two IDB sections in pcapng to represent this. However both interfaces have the same IP as seen from TCP and higher layers and they don’t exist at the same time.
I.e., this is some flavor of teaming (PPP Multilink, etc.)?
>
> When I generate conversations statistics from ethereal
(Presumably meaning "Wireshark", as pcap-NG support was added after the name changed from Ethereal to Wireshark.)
> for a particular TCP flow which started on Interface 1 and ended on Interface 2 it shows up as two separate flows in conversation statistics with same ip:port pairs.
So you have a single pcap-ng file, with two interfaces, and with packets between {ip1:port2} and {ip2:port2} on both interfaces, and the conversation statistics show two separate conversations?
The conversation code shouldn't even know that the packets are on different interfaces, so that sounds like a bug; could you file a bug on that and attach one of the network traces so we can try to debug it?
