Wireshark-bugs: [Wireshark-bugs] [Bug 4905] VoIP Calls Prepare Filter unreliable
Date: Mon, 11 Oct 2010 04:54:32 -0700 (PDT)
https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=4905

--- Comment #16 from Jaap Keuter <jaap.keuter@xxxxxxxxx> 2010-10-11 13:54:31 CEST ---
(In reply to comment #12)
> (In reply to comment #10)
> > (In reply to comment #8)
> > > Additionally, the generated filter doesn't take into account reassembled IP
> > > fragments. Typically, if a long UDP packet takes 3 IP frames N, N+1, N+2, only
> > > the (N+2) will appear in the (or frame.number==...) list.
> > 
> > This is inevitable in the current reassembly implementation. If you try to
> > construct a data link layer filter from application layer messages, you're
> > isolated from the reassembly at the lower layer. Therefore there is no way to
> > know which packets were used in the reassembly, thus can't be added to the
> > filter.
> 
> Ah, but users don't care about API limitations, they just care about filtering
> VOIP calls properly in huge traces, to save and send by e-mail; this is
> currently impossible as soon as fragmentation occurs.

Sure, users don't care, but we do :)

> Don't you think that means that the API should be extended to handle the
> situation better ?

Yes, it would be great if we could extend it in such a way, that could help
saving every filtered capture with fragmented packets (bug 3315).

> As a workaround, I'm currently adding _all_ incomplete fragments with "or":
> better to have too many of them than missing important ones. It could be a
> starting point until the API is extended...

... and we could even limit that to fragments between the first and last frame
of the call having the right protocol.

-- 
Configure bugmail: https://bugs.wireshark.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.