On Monday 17 January 2005 03:05 pm, Martin Regner wrote:
> Jon Ringle wrote:
> > I took a look at the capture, and it seems to me that the problem is that
> > ethereal can't handle having multiple conversations across time that
> > happen to use the same src/dest tuple.
> >
> > I am quite new to the ethereal source code, so my understanding of it is
> > a bit limited right now, but it looks like this might be resolved
> > globally by changing the conversation_t structure to include the frame
> > number of the packet that created a conversation. Then in the
> > find_conversation() function add a parameter that passes in the frame
> > number of the currently dissecting packet, and find the conversation that
> > has the largest frame number in the conversation_t structure, but smaller
> > than the current dissecting frame number. This would allow multiple
> > conversations to be registered that happen to use the same src/dest tuple
> > within the same capture.
>
> Yes, there has been discussions about changing the conversation code to
> indicate start/stop. Besides that you would need to do chnges in SDP/H.245
> dissectors. For H.245 you would need to match OpenLogicalChannel message
> with the OpenLogicalChannelAck and so on ...
> It's possible to do it, but maybe not so easy...
Perhaps not so easy, but gets to the root of the problem you are seeing with
T.38 packets being incorrectly dissected by RTP. Fixing this should make the
issue of determining whether a rtp.version==0 packet is t.38 or stun a moot
point, since the dissect_t38() function would be called instead of the
dissect_rtp() function.
Jon