Hi > Hi, > > Yes, I think you're on the right track here. > > Concerning the conversation search, I think you've a point. When searching > for > a conversation along the time axis, you shouldn't get the a conversation > before the first one is established. > > I'm not aware if many dissectors use conversations that way and this is a > corner case. That may be why it wasn't spotted before. packet-rdt.c and packet-rdp.c, these two check p_conv->setup_frame.
And at leas packet-dtpt.c,packet-quake.c. But some of this code looks suspicious to me ie call to conversation_new without a call to find_conversation first. > A simple fix for your code is to check the returned conversation frame number > against the current frames' number and discard it when it's older. Of course > that should be done by the search routine, for which a change will be > committed later. I think that if it's a tcp sub dissector you also have to use a different type, not pinfo->ptype in find_conversation/conversation_new or you'll get the conversation created by the TCP disssector or break various tcp analysis. Didier _______________________________________________ Wireshark-dev mailing list Wireshark-dev@wireshark.org http://www.wireshark.org/mailman/listinfo/wireshark-dev
