Wireshark-bugs: [Wireshark-bugs] [Bug 1184] *Shark should support associating TCP and UDP packet

Date: Tue, 09 Apr 2013 00:52:09 +0000

Comment # 11 on bug 1184 from
I've been thinking about ways to hook protocol control block connection and
destruction up to, for example, BPF, so that something capturing from an
enhanced version of BPF (enhanced to deliver events other than just packets)
could receive "process XXX created a protocol control block with this protocol
type and transport endpoint addresses" and "the protocol control block with
this protocol type and transport endpoint addresses has been torn down".

I've not developed any code for that; unfortunately, it'd require changes to OS
kernel-mode code, libpcap, and the capturing programs.

Another possibility might be to see whether DTrace taps could be used to
capture PCB creation and destruction, on OSes that support it; you'd have two
sources of input to listen to, but, if both are time-stamped, you could at
least impose a total order on the events (based on the time stamps and, if the
time stamps are equal, breaking the tie by putting PCB creation events before
and PCB destruction events after packets).


You are receiving this mail because:
  • You are the assignee for the bug.
  • You are watching all bug changes.