Wireshark-dev: Re: [Wireshark-dev] Adding new conversations to table
Date: Tue, 8 Sep 2009 15:45:31 -0400
On Tue, Sep 8, 2009 at 3:24 PM, Guy Harris <guy@xxxxxxxxxxxx> wrote:

On Sep 8, 2009, at 12:14 PM, Beth wrote:

> I'm writing a dissector for a wireless protocol, and would like
> Wireshark to keep track of conversations between the various
> endpoints.
>
> The catch seems to be that the sniffer includes several additional
> protocol layers above the wireless protocol, i.e. Ethernet/IP/UDP,
> and the Wireshark conversation table only seems to include those
> protocols in the conversation table.
>
> In my dissector, I have added the usual call to find_conversation
> followed by if (c==NULL) conversation_new(...), but I'm not seeing
> my protocol in the conversation table.  What might I be missing here?

What you're missing is the fact that, unfortunately, Wireshark has no
general notion of conversations. :-(

I.e., the infrastructure needed to do what you want doesn't exist.  We
should provide a more general notion of conversations, for a number of
reasons.

What identifies the endpoints of your protocol's conversations?

 
OK I'm really confused then.  What *does* the Wireshark conversation library do?
Or - maybe it doesn't matter, if it can't do what I was trying to do.

The dissector I'm writing is a protocol that runs inside 802.15.4, so the endpoints should be the EUI64 addresses of the devices that are communicating.  Or better yet, the addresses my protocol uses - but I'd be happy with the EUI64 addrs.

What Wireshark shows in the conversations table are Ethernet, IP, and UDP conversations (one of each) with addresses created by the sniffer during capture.  (At least, I think that's what they are - I don't know much about how the sniffer works, to be honest.  But I know the original RF packets that I'm dissecting don't have those layers.)

I had expected if I called conversation_new with the EUI64 addresses and the ports used by my protocol, I would be adding a new conversation to whatever Wireshark was already detecting.  Is it not creating anything at all, or is it simply creating something that Wireshark ignores when it creates the table?

Thanks,
b.