[prev in list] [next in list] [prev in thread] [next in thread] 

List:       ethereal-dev
Subject:    Re: [ethereal-dev] resolving thoughts
From:       Laurent Deniel <deniel () worldnet ! fr>
Date:       1998-09-18 22:51:29
[Download RAW message or body]

Hannes R. Boehm wrote:
> 
> On Sun, Sep 06, 1998 at 06:52:45PM +0200, Laurent Deniel wrote:
> > Hannes R. Boehm wrote:
> > >
> > > On Sun, Sep 06, 1998 at 02:46:37PM +0200, Laurent Deniel wrote:
> > > > Hi,
> > > >
> > > >  I have implemented network object name resolving.  The current
> > > >  implemented objects are : IP addresses, UDP and TCP ports.
> > > >
> > > >  All name resolutions use a hash table to optimize lookup time
> > > >  and a mechanism is implemented to avoid long DNS timeout for
> > > >  hostname lookups.
> > >
> > > Do you know the NAI Sniffer ?
> > >
> > > It does take the RR form DNS packets it has already analyzed instead of
> > > making a lookup itself. This way there is no traffic generated by the sniffer.
> > > (even if not all IPs show up in the DNS packets it is quite usefull)
> > >
> >
> > Yes but as ethereal analyses dump files, the generated traffic is not
> > important (there is no lookup during the capture phase). And I prefer
> > to make real lookup since the captured packets may have been filtered
> > (i.e. no DNS packets in the file).
> 
> Thats right, but:
> 
> when you capture in a private LAN, and send the capture file to a friend
> (for analization with ethereal) -> he will not be able to do any lookups.
> (or he will get other names (since his machine may be located in a
> private Internet too.)

Yes, this is why, like tcpdump, there is a -n option ;-)

And adding hostnames in the hash table from DNS packets is already in my
"To do" list (will be made after the eth resolution).

> 
> anyway: I like your resolving code (especialy that you use hash tables.).

Thanks.

> 
> wkr
>    Hannes
> 

I've planed to implement the ether/manuf resolution. Expect a patch soon.
As stated in a previous post, I will use /etc/ethers and /etc/manuf.
The first file will be checked when an entry is not found in the hash
table (like UDP/TCP port) while the second file (manuf) will be put
completely in the hash table at initialization phase (my list of common
vendor has ~ 100 entries, a complete list may have 800 entries which 
represent less than 20Kbytes).

Laurent.

--
Laurent DENIEL            | E-mail: deniel@worldnet.fr
Paris, FRANCE             |         deniel@fr.airsysatm.thomson-csf.com
                          | WWW   : http://www.worldnet.fr/~deniel
    All above opinions are personal, unless stated otherwise.

[prev in list] [next in list] [prev in thread] [next in thread]