Wireshark-users: Re: [Wireshark-users] Dissecting RTP: false positives

From: Sake Blok <sake@xxxxxxxxxx>
Date: Thu, 27 Nov 2008 21:55:49 +0100
On Wed, Nov 26, 2008 at 01:53:35PM -0800, Thuy Nguyen wrote:
> 
> For tearing down a conversation, i think one way to do is from the 
> SIP/SDP dissector. When receiving a BYE/CANCEL SIP message, the SIP 
> dissector can search for the previously registered voice conversation, 
> and tear it down.

True, but for a protocol analyzer, even the stray packets after a
session teardown might be interesting to look at in the context of the
conversation.

> Your idea of a timeout is also a good way to go. 

I'll have a look at the conversation code, should not be to difficult to
implement...

> I'll look deeper into this when having more time.

Ah, time... never seems to be enough of the funny thing ;-)

Cheers,
    Sake