ANNOUNCEMENT: Live Wireshark University & Allegro Packets online APAC Wireshark Training Session
July 17th, 2024 | 10:00am-11:55am SGT (UTC+8) | Online
Wireshark logo

Wireshark-dev: Re: [Wireshark-dev] manual address resolution is broken

Date Prev · Date Next · Thread Prev · Thread Next
Date Index · Thread Index · Other Months · All Mailing Lists
From: Guy Harris <guy@xxxxxxxxxxxx>
Date: Tue, 28 May 2013 18:29:07 -0700
On May 28, 2013, at 5:32 PM, Ed Beroset <beroset@xxxxxxxxxxxxxx> wrote:

> As I understand it, there are potentially four different (potential) sources for name resolution.  They are 1) a named hosts file (not necessarily the system hosts file) 2) whatever is behind OS gethostbyaddr() call

*Or* whatever we offer as a replacement for gethostbyaddr(), such as ADNS or C-ARES (to do asynchronous name resolution).

(What's behind gethostbyaddr() is probably:

	on UN*X, some combination of the system hosts file and DNS and/or NIS;

	on Windows, some combination of the system hosts file and DNS and/or NetBIOS.

NIS and NetBIOS are legacy mechanisms, but there are probably still sites using them; I don't know if any sites where anybody's likely to use Wireshark use them *instead of*, rather than *in addition to*, DNS.)

> 3) NRB in capture file and 4) manually entered names.

> 
> For name resolution, I'm thinking that it might be useful to allow the user to select both the order for resolution and whether each is used or not.

Yes, that might be useful, at least for some sources.

However, I suspect that:

	manually entered names wouldn't have been entered if they weren't intended to override everything else;

	for a given capture file, name/address pairs from the NRB should *always* override all other sources; if they're not the right pairs for the file, they shouldn't have been in the file in the first place.

	whether the hosts file should override anything else may depend on what the host file's purpose is:

		if it's the system hosts file, being used in addition to ADNS or C-ARES, it shouldn't override anything that ADNS or C-ARES don't override (if you're using gethostbyaddr(), it's probably already using the system hosts file, so there's no need to specify it explicitly);

		if it's a personal hosts file, it should probably override system sources such as gethostbyaddr(), but nothing else;

		if it's a per-capture hosts file - i.e., a hosts file that works around the lack of pcap-ng-style in-capture-file name/address pairs in file formats that don't support it - it should probably be treated the same way NRB entries are treated.

(Perhaps there should be support for multiple types of host files - personal, which might be in a hosts file in your Wireshark settings directory, and per-capture-file.

As for the system hosts file, is there any reason to use ADNS or C-ARES instead of, for example, multiple name resolver threads using Boring Old gethostbyaddr()?)
Wireshark logo footer

© Wireshark Foundation · Privacy Policy

Facebook·Mastodon·Twitter·YouTube