2008/9/10 Maynard, Chris <[EMAIL PROTECTED]> > Should we ever see instances where conversation_new() is called without > a preceding find_conversation()? > > I have found 3 such dissectors, and the code seems suspicious to me. > The 3 are: > packet-bittorrent.c > packet-dtpt.c > packet-quake.c > > - Chris > > In the case of packet-bittorrent.c there should really be a call to find_conversation preceeding the call to conversation_new although I can see the reason for why the implementor did not do this (if there is some thought behind it and not just a slip).
Since the call to conversation_new is (only) part of the heuristic dissection, this means that packet-bittorrent attempts to find bittorrent traffic on (especially) other ports than the pre-defined ones. When such a port is found it is very unlikely that the 4-tuple that defines the connection (src and dest IP addresses and ports) will already have been seen by the dissector before. Hence, it is very unlikely that a second conversation_new would occur for the same 4-tuple that has been used in packet-bittorrent's conversation_new before, but not impossible of course. There should definately be a call to find_conversation preceeding the call to conversation_new in packet-quake.c. Regards, Peter
_______________________________________________ Wireshark-dev mailing list [email protected] https://wireshark.org/mailman/listinfo/wireshark-dev
