Wireshark-dev: Re: [Wireshark-dev] Incorrect decoding at first time, then filtering at the seco

From: Guy Harris <guy@xxxxxxxxxxxx>
Date: Wed, 8 Dec 2010 10:13:55 -0800
On Dec 8, 2010, at 9:22 AM, Andreas wrote:

> Am 08.12.2010 17:14, schrieb Stephen Fisher:
>> On Wed, Dec 08, 2010 at 12:29:40PM +0530, Vishal Kumar Singh wrote:
>> 
>> The best solution is to keep track of the information from previous
>> packets only on the first pass and store the data on a per-conversation
>> and per-packet basis.
> 
> I know already the conversion-data. But what is the intension of the 
> per-packet data? Usually I have the raw data available with the tvb.

The raw data might not be fully dissectable without some further information.

For example, in an SMTP connection, some packets going from the client to the server contain commands and some contain mail-message data; Wireshark dissects them differently, and it has to attach to a given packet an indication of whether it contains commands or mail-message data.  In addition, to handle STARTTLS, it *also* has to indicate whether the packet contains TLS-encapsulated SMTP, rather than unencapsulated commands or mail-message data.