Wireshark-dev: Re: [Wireshark-dev] [Wireshark-commits] master 31ecdf5: Refactor "common" Conver

From: Guy Harris <guy@xxxxxxxxxxxx>
Date: Tue, 29 Jul 2014 01:02:46 -0700
On Jul 28, 2014, at 8:34 PM, mmann78@xxxxxxxxxxxx wrote:

> On a related note, I took the "common" Conversation table functionality a step further and "merged in" the hostlist/endpoint functionality (https://code.wireshark.org/review/3214/). Since I don't know a lot about conversations/endpoints, does it make sense to separate the two (from a dissector/epan API standpoint) or combine them?   Is it just a "coincidence" that the same dissectors that have conversations, also have endpoints?

No, but...

> Or would it be possible for a dissector to have one without the other?

...yes.

libwireshark has its own notion of "conversations", which we might be able to unify with the conversation table notion.

It also has a notion of "circuits", which are for protocols where you have virtual circuit identifiers independent of endpoint identifiers, e.g. X.25.  There might still be endpoint identifiers for those protocols.

> Why is the tap name "hosts" for everything but TCP and UDP (which use "endpoint").

Because, for some protocols, an endpoint identifier identifies a machine (e.g., a MAC address for LAN segment-level conversations or an IP address for network-layer conversations) and, for others, they identify an entity on a machine (e.g., an IP address plus a port, for TCP connections or UDP conversations).