I am developing a dissector for a protocol on top of TCP. Perhaps someone has run into the same problem I am trying to solve.
The protocol I am dissecting requires a bit of data from the previous packet in order to properly dissect the current one. Using per-packet data (p_get_proto_data(), etc) and per-conversation data (find_conversation()) gets me part of the way there but not all the way. I can use per-packet data to store the data I need with the packet, but the problem is finding the previous packet when dissecting the current one.
The problem is that during dissection of the current packet, I need to find the _previous_ packet in the _same_ conversation, in the _same_ direction (e.g., if the command is client-to-server, I need the previous client-to-server packet). pinfo->fd->prev isn't sufficient because that isn't necessarily the right packet.
Another way of saying it is that when dissecting tcpbytes[i] in the TCP stream, I sometimes need to access tcpbytes[i-n], which may not be in the current packet that I'm dissecting, so I don't see an easy way to get access to it. Does anyone have an idea of a simple way to accomplish this? Does the TCP dissector provide any stream access functions that will let me do this, for example?
Thanks,
-Jon