Wireshark · Ethereal-dev: Re: [Ethereal-dev] Ethereal DNS Traffic Storm

Ethereal-dev: Re: [Ethereal-dev] Ethereal DNS Traffic Storm

Note: This archive is from the project's previous web site, ethereal.com. This list is no longer active.

From: Gerald Combs <gerald@xxxxxxxxxxxx>

Date: Thu, 25 Mar 2004 16:13:52 -0600

Wescott, David H wrote:

We have seen as high as 1,132 frames-per-second of DNS related trafficfrom a single Ethereal client. We were able to capture a sample traceof an Ethereal DNS traffic storm. There were a total of 547,226 framesof DNS related traffic in ~8 minutes. This was ~36 Meg of networktraffic, with an overall average rate of 1,132 packets-per-second. Insummary, the Ethereal client PC sent a total of 250,461 DNS connectionattempts/// (TCP port 53)/ to 5 different DNS servers in ~8 minutes.There were ~50K connection attempts per DNS server in this sampletrace. This traffic continued until the Ethereal application wasaborted. The 3 valid DNS servers each answered as expected with a TCPSYN ACK. The client then responded to these TCP SYN ACK frames with aTCP RST/// (Reset)/ aborting the connection attempt.
Is anyone aware of this issue? Please advise so that we can get thisproblem corrected.

If you go to Edit->Preferences->Name Resolution, is network nameresolution enabled, and if so is concurrent DNS name resolution enabled?Are there hundreds of thousands of unique IP addresses in the trafficthat you're capturing? If so, then this behavior is expected.

By default, Ethereal tries to resolve any IP addresses that it finds.If you're capturing a lot of unique IP addresses, then Ethereal willcorrespondingly generate a lot of DNS queries. It keeps a local cacheof host names, so each address should only be queried once per capturesession. I'm not sure what to make of the TCP connection attempts.We're using the ADNS library for concurrent name resolution; it soundslike it may have a bug. ADNS uses the host's default name servers forresolution. Do you have all five DNS servers configured on your system?

You can disable network name resolution from the Preferences dialogabove, or by selecting View->Name Resolution->Enable for Network Layer.

References:
- [Ethereal-dev] Ethereal DNS Traffic Storm
  - From: Wescott, David H

Prev by Date: RE: [Ethereal-dev] TCP/IP Retransmission
Next by Date: [Ethereal-dev] ARP Source IP address incorrect
Previous by thread: [Ethereal-dev] Ethereal DNS Traffic Storm
Next by thread: [Ethereal-dev] Ethereal patch for IEEE 802.11i/RSN IE / packet-ieee80211.c
Index(es):
- Date
- Thread

Riverbed Cascade Pilot: Take Wireshark to the Next Level - Advanced Triggers and Alerts; Web and VoIP Analytics; Long-Term Trending and Forensics; Deep Packet Analysis with Wireshark

Riverbed Cascade Pilot Personal Edition: Take Wireshark to the Next Level - Advanced Triggers and Alerts; Web and VoIP Analytics; Long-Term Trending and Forensics; Deep Packet Analysis with Wireshark

Riverbed AirPcap: Complete Visibility of Your Wireless Networks; Multi-Channel, Aggregated Analysis; Portable and Versatile; Easy to Setup and Easy to Use; Ready to Power Your Application

$Riverbed TurboCap: Full-Speed GbE Capture; Port Aggregation; Pass-thru Mode; Aggregating Tap; Full-Speed GbE Injection; Exported Interfaces; TurboCap API Developer\'s Pack$