Wireshark · Wireshark-dev: Re: [Wireshark-dev] Memory consumption in tshark

[Anders Broman <a.broman@xxxxxxxxxxxx>]

Anders Broman skrev 2013-08-29 17:20:

 

 

From: wireshark-dev-bounces@xxxxxxxxxxxxx [mailto:wireshark-dev-bounces@xxxxxxxxxxxxx] On Behalf Of Dario Lombardo
Sent: den 29 augusti 2013 17:07
To: Developer support list for Wireshark
Subject: Re: [Wireshark-dev] Memory consumption in tshark

 

On Thu, Aug 29, 2013 at 4:35 PM, Evan Huus <eapache@xxxxxxxxx> wrote:

Basically, but it's also more. If your capture contains a DNS packet resolving a name in a certain way, and the system name resolver gives a different answer, we prefer the DNS packet in the capture (since presumably the capture was on some local network where that name resolves differently). For this reason we can't just drop old cache entries unless name resolution is disabled completely.

 

That's really interesting. This means that if a DNS packet with a fake resolution is got, it can pollute the "cache". 

I've triggered this behaviour in the attached pcap file. It appears that I'm pinging google (in my svn wireshark), while actually I'm pinging a private addres :). 

 

We should probably have a ****load of parameter to tune the behavior of address resolution J As there seems to be many opinions on the subject.

I have checked in a change to not store addresses in the hash table when name resolution is off. It remains to do changes to not store unresolved addresses when address resolution is used. 

___________________________________________________________________________
Sent via:    Wireshark-dev mailing list <wireshark-dev@xxxxxxxxxxxxx>
Archives:    http://www.wireshark.org/lists/wireshark-dev
Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev
             mailto:wireshark-dev-request@xxxxxxxxxxxxx?subject=unsubscribe