Wireshark · Ethereal-dev: [ethereal-dev] Re: [ethereal-users] freeze

Ethereal-dev: [ethereal-dev] Re: [ethereal-users] freeze

Note: This archive is from the project's previous web site, ethereal.com. This list is no longer active.

From: Nathan Neulinger <nneul@xxxxxxx>

Date: Mon, 07 Feb 2000 07:52:17 -0600

I'd like to suggest that a useful feature would be a menu item that did
"resolve addresses", and perhaps one on the per-packet right-click menu
as well to do it just for that packet. 

I don't know how much trouble this would be to implement, but it seems
like it shouldn't be too difficult to go back and resolve addresses for
previous frames at a later time.

-- Nathan

Guy Harris wrote:
> 
> > > (Oh, and, if you do this, make sure you'd run Ethereal with name
> > > resolution turned off; I'm not sure which particular call the DNS or NIS
> > > name-lookup code uses to read replies, but I'd rather not have to worry
> > > about whether the "recvfrom()" is receiving a packet from the socket
> > > it's using for snooping or from a socket it's using for making requests
> > > over the network.)
> >
> > That's it! When I turn off name resolution, everything is fine.
> 
> DNS lookups often take a really long time to time out if the DNS server
> isn't responding.  When Ethereal is reading in a capture - or when it's
> doing an "update the screen as packets come in" capture - it will, by
> default, try to translate IP addresses to host names, which can cause it
> to hang for a while until the OS's DNS resolver finally times out and
> gives up.
> 
> That's probably what's happening.
> 
> > And I observed the following: When name resolution is turned on, every second
> > call is a DNS, i.e., DNS, IP, ICMP, DNS, IP, ICMP, DNS... (maybe my
> > stack is misconfigured, or their stack is misconfigured?) Disabling name
> > resolution gives: DNS, IP, ICMP, IP, ICMP...
> 
> No, every second call is an attempt by Ethereal to look up the name it
> saw in previous packets - i.e., if you turn name resolution on and do an
> "update the screen as packets come in" capture, on most OSes some of the
> traffic you see will be due to Ethereal itself (the packet-capture
> mechanism in a few OSes may not be able to see packets that the machine
> itself is transmitting, but Linux is probably not one of those OSes).

-- 


------------------------------------------------------------
Nathan Neulinger                       EMail:  nneul@xxxxxxx
University of Missouri - Rolla         Phone: (573) 341-4841
CIS - Systems Programming                Fax: (573) 341-4216

Follow-Ups:
- Re: [ethereal-dev] Re: [ethereal-users] freeze
  - From: Laurent Deniel

Prev by Date: Re: [ethereal-dev] Cisco trunking negociating protocols
Next by Date: Re: [ethereal-dev] Win32 DLL Plugin code
Previous by thread: [ethereal-dev] Protocol Inspector
Next by thread: Re: [ethereal-dev] Re: [ethereal-users] freeze
Index(es):
- Date
- Thread

Riverbed Cascade Pilot: Take Wireshark to the Next Level - Advanced Triggers and Alerts; Web and VoIP Analytics; Long-Term Trending and Forensics; Deep Packet Analysis with Wireshark

Riverbed Cascade Pilot Personal Edition: Take Wireshark to the Next Level - Advanced Triggers and Alerts; Web and VoIP Analytics; Long-Term Trending and Forensics; Deep Packet Analysis with Wireshark

Riverbed AirPcap: Complete Visibility of Your Wireless Networks; Multi-Channel, Aggregated Analysis; Portable and Versatile; Easy to Setup and Easy to Use; Ready to Power Your Application

$Riverbed TurboCap: Full-Speed GbE Capture; Port Aggregation; Pass-thru Mode; Aggregating Tap; Full-Speed GbE Injection; Exported Interfaces; TurboCap API Developer\'s Pack$