Wireshark-dev: Re: [Wireshark-dev] [Wireshark-commits] master 31ecdf5: Refactor "common" Conver
On Jul 28, 2014, at 8:34 PM, mmann78@xxxxxxxxxxxx wrote:
> On a related note, I took the "common" Conversation table functionality a step further and "merged in" the hostlist/endpoint functionality (https://code.wireshark.org/review/3214/). Since I don't know a lot about conversations/endpoints, does it make sense to separate the two (from a dissector/epan API standpoint) or combine them? Is it just a "coincidence" that the same dissectors that have conversations, also have endpoints?
No, but...
> Or would it be possible for a dissector to have one without the other?
...yes.
libwireshark has its own notion of "conversations", which we might be able to unify with the conversation table notion.
It also has a notion of "circuits", which are for protocols where you have virtual circuit identifiers independent of endpoint identifiers, e.g. X.25. There might still be endpoint identifiers for those protocols.
> Why is the tap name "hosts" for everything but TCP and UDP (which use "endpoint").
Because, for some protocols, an endpoint identifier identifies a machine (e.g., a MAC address for LAN segment-level conversations or an IP address for network-layer conversations) and, for others, they identify an entity on a machine (e.g., an IP address plus a port, for TCP connections or UDP conversations).