> For implementing the H.323 dissector I have to dissect the H.245 protocol.
> Unfortunbately this protocol is NOT bound to a known tcp port. This
> information is exchanged between two machines using the H.225 protocol.
> Unfortunately after that time I only know one IP address and corresponding
> port number.
I.e., you know that there will be a conversation between two machines,
but you only know the IP address and port number of one of the sides of
the conversation?
The TFTP dissector has the same problem - the initial TFTP request is
sent to the TFTP well-known port on the server, but the reply doesn't
necessarily come from the TFTP port (and probably doesn't); the only way
to recognize it is to note that it's being sent to the same IP
address/port pair on the client as the one from which the initial
request sent to the TFTP well-known port was sent.
Perhaps a scheme to have "half-conversations", where only one of the
addresses is known, would help here?
In the case of TFTP, all packets other than the initial one would
probably be between the same two IP address/port pairs, so a
"half-conversation" could be created when a packet to the TFTP port is
seen, and that "half-conversation" could be converted to a full
conversation as soon as the reply is seen - it'd match all packets
except the first (although, if we make conversations visible in the UI
above and beyond the stuff for TCP streams, we might either want to be
able to make the first packet an "honorary member" of that conversation,
or leave it as a half-conversation, so that the TFTP conversation
includes all the packets).
Could a similar scheme be used for H.323?