Olivier Biot wrote:
Hi list,
How about adding a conversation index header field in
conversation-based protocols so the end-user is able to pick a given
conversation from the packet list. This can eb seen as a
generalization of the "Follow TCP stream" feature, but then with only
the matching packets for a start (not the exchanged data as it
probably won't make that sense as it'd almost always be binary data).
I was thinking about a similar way to do this.
I really agree that we need a more general way of handling
conversations. I often see people (including me) using the "Follow TCP
stream" function to filter TCP conversations,
while not being interested of the data displayed. Also it would be nice
to have this for UDP (and other) conversations as you suggest.
One problem with your suggestion: There are possibly multiple
conversations involved in one single packet in the future?
E.g: In DCE-RPC, there is a "private" mechanism on top of TCP/UDP, which
"emulates" conversations on top of TCP/UDP when defragmenting DCE-RPC
things.
We might need a somewhat more generalized way of handling conversations,
before thinking about displaying it to the user?
As I'm not 100% familiar with conversations, there might be already
implemented something like this.
Regards, ULFL