ANNOUNCEMENT: Live Wireshark University & Allegro Packets online APAC Wireshark Training Session
April 17th, 2024 | 14:30-16:00 SGT (UTC+8) | Online
Wireshark logo

Ethereal-dev: Re: [Ethereal-dev] Ethereal DNS Traffic Storm

Note: This archive is from the project's previous web site, ethereal.com. This list is no longer active.

Date Prev · Date Next · Thread Prev · Thread Next
Date Index · Thread Index · Other Months · All Mailing Lists
From: Gerald Combs <gerald@xxxxxxxxxxxx>
Date: Thu, 25 Mar 2004 16:13:52 -0600
Wescott, David H wrote:
We have seen as high as 1,132 frames-per-second of DNS related traffic from a single Ethereal client. We were able to capture a sample trace of an Ethereal DNS traffic storm. There were a total of 547,226 frames of DNS related traffic in ~8 minutes. This was ~36 Meg of network traffic, with an overall average rate of 1,132 packets-per-second. In summary, the Ethereal client PC sent a total of 250,461 DNS connection attempts/// (TCP port 53)/ to 5 different DNS servers in ~8 minutes. There were ~50K connection attempts per DNS server in this sample trace. This traffic continued until the Ethereal application was aborted. The 3 valid DNS servers each answered as expected with a TCP SYN ACK. The client then responded to these TCP SYN ACK frames with a TCP RST/// (Reset)/ aborting the connection attempt.
Is anyone aware of this issue? Please advise so that we can get this problem corrected.
If you go to Edit->Preferences->Name Resolution, is network name resolution enabled, and if so is concurrent DNS name resolution enabled? Are there hundreds of thousands of unique IP addresses in the traffic that you're capturing? If so, then this behavior is expected.
By default, Ethereal tries to resolve any IP addresses that it finds. If you're capturing a lot of unique IP addresses, then Ethereal will correspondingly generate a lot of DNS queries. It keeps a local cache of host names, so each address should only be queried once per capture session. I'm not sure what to make of the TCP connection attempts. We're using the ADNS library for concurrent name resolution; it sounds like it may have a bug. ADNS uses the host's default name servers for resolution. Do you have all five DNS servers configured on your system?
You can disable network name resolution from the Preferences dialog above, or by selecting View->Name Resolution->Enable for Network Layer.
Wireshark logo footer

© Wireshark Foundation · Privacy Policy

Facebook·Mastodon·Twitter·YouTube