On Mar 23, 2012, at 6:11 PM, Martin Mathieson wrote:
> I'm now needing to analyse TCP conversations carried over LTE
> MAC/RLC/PDCP/IP. So one frame in a log or capture can hold many segments of
> the same TCP conversation.
Presumably because it can hold multiple IP datagrams.
There are probably many parts of Wireshark that assume that a packet at the
lowest visible layer will not contain more than one packet from a higher layer,
so that the frame number can be used to uniquely identify packets at all layers.
I suspect LTE is not the only link layer that violates this assumption.
(In addition, assuming that a packet at the transport layer will not contain
more than one packet from a higher layer is also not valid; TCP violates that
assumption.)
So, in the general case, we'd need more than just the frame number; a pairing
of {frame number} and {offset, relative to the beginning of the frame, of the
first byte of the next layer of packet} might suffice, although it doubles the
space required for the key.
> My change was to expand the key now to include
> frame+sequence-number+ack-number (where the sequence-number and ack-number
> are the raw, rather than relative, values), which works well for me.
That's another possibility, although it's specific to LTE.
> Is there a more appropriate key for looking up the segment? I did think
> about adding an index for the segment within the frame, but that would be
> messy, and if you had to segments with the same seq+ack, I think the same
> analysis would always apply.
"Index" meaning "if a given LTE MAC layer frame has more than one higher-layer
packet in it, use the ordinal number of the packet"?
___________________________________________________________________________
Sent via: Wireshark-dev mailing list <[email protected]>
Archives: http://www.wireshark.org/lists/wireshark-dev
Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev
mailto:[email protected]?subject=unsubscribe
