Richard Sharpe wrote:
> On Fri, Jun 1, 2012 at 11:44 AM, Jeff Morriss <jeff.morriss.ws@xxxxxxxxx> wrote:
>> One of the more frequently asked questions/reported bugs is users filtering
>> for RTP, saving^W exporting those displayed packets, then opening the new
>> capture file only to find plain UDP. This is because the call-setup
>> protocol (e.g., SIP) wasn't included in the display filter.
>>
>> Now we have the ability to mark frames as dependent on others. Should, for
>> example, RTP frames mark the call-setup frames as dependencies? (I noticed
>> that RTP has a Setup Frame field; would one frame really be enough?)
>
> An alternative, but more radical approach, might be to export the
> state that is needed to correctly dissect the packets.
>
> We could lobby for an additional application-specific state record in
> pcap-ng or an application-specific option field. The state could be an
> asn.1 encoded blob, or whatever.
True. But I like the idea of adding ~1 line of code to the RTP
dissector and making all those questions go away.
Though I am nervous about this whole packet-dependency thing causing
users to say "I filtered on RTP and you saved my SIP too!"