On Jul 28, 2014, at 8:34 PM, [email protected] wrote: > On a related note, I took the "common" Conversation table functionality a > step further and "merged in" the hostlist/endpoint functionality > (https://code.wireshark.org/review/3214/). Since I don't know a lot about > conversations/endpoints, does it make sense to separate the two (from a > dissector/epan API standpoint) or combine them? Is it just a "coincidence" > that the same dissectors that have conversations, also have endpoints?
No, but... > Or would it be possible for a dissector to have one without the other? ...yes. libwireshark has its own notion of "conversations", which we might be able to unify with the conversation table notion. It also has a notion of "circuits", which are for protocols where you have virtual circuit identifiers independent of endpoint identifiers, e.g. X.25. There might still be endpoint identifiers for those protocols. > Why is the tap name "hosts" for everything but TCP and UDP (which use > "endpoint"). Because, for some protocols, an endpoint identifier identifies a machine (e.g., a MAC address for LAN segment-level conversations or an IP address for network-layer conversations) and, for others, they identify an entity on a machine (e.g., an IP address plus a port, for TCP connections or UDP conversations). ___________________________________________________________________________ Sent via: Wireshark-dev mailing list <[email protected]> Archives: http://www.wireshark.org/lists/wireshark-dev Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev mailto:[email protected]?subject=unsubscribe
