On Tue, Sep 17, 2002 at 06:14:47PM -0700, Guy Harris wrote:
> Currently, you can't. There is currently no mechanism in Ethereal to
> support more than one conversation with the same endpoint addresses and
> port numbers; such a mechanism would have to be added.
>
> Such a mechanism would have to somehow arrange that more than one
> conversation with the same endpoint addresses and port numbers exist,
> and that the conversations be distinguished by something such as ranges
> of frame numbers, so that a query searching for a conversation would
> also take a frame number as an argument, and only a conversation whose
> range of frame numbers includes that frame would be found. The frame
> number argument would probably be the frame number of the frame being
> dissected.
>
> In addition, the TCP dissector would have to "close" a conversation
> either when it detects that a TCP connection has ended or that a new
> connection has started.
Such a mechanism could probably be implemented by making the
conversation code follow the "circuit" code.
I added a mechanism for keeping track of "circuits", which are like
conversations except that they're identified by a "circuit type" and
"circuit ID"; the former is an enumerated value of type "circuit_type",
and the latter is a 32-bit value. That's used for frame relay data link
connections (the circuit ID is the DLCI), ISDN channels (0 = D channel,
n - Bn channel), and X.25 logical channels (the circuit ID is the
logical channel number), and could also be used for ATM virtual
circuits. The X.25 dissector now uses circuits rather than its own data
structure for keeping track of the protocol used on a logical channel.
"circuit_new()", the equivalent of "conversation_new()", takes a frame
number as an argument, specifying the first frame to be considered part
of that circuit; "find_circuit()", the equivalent of
"find_conversation()", takes a frame number as an argument, specifying
the frame number of the frame currently being dissected. There's a new
"close_circuit()" routine, taking a "circuit_t" and a frame number as an
argument, and setting the *last* frame for that circuit to the specified
frame number. Multiple circuits can be created with the same circuit
ID; there's a list of those circuits, and "find_circuit()" searches that
list for the first circuit whose frame number range includes the
specified frame number.
Similar things could be done for conversations (we even have a
currently-unused "next" pointer in the "conversation_t" structure). For
example, he TCP dissector could, on the first pass, if it sees a frame
with a SYN in it, see if there's already a conversation between those
ports and addresses with the *previous* frame number being in its frame
number range and, if so, close it, specifying the last frame number as
being the previous frame.