Hi,
I have a simple suggestion.
Maybe ethereal could import the captures in stages.
(i) Do the import as if -n was provided, that is no name resolution.
(ii)Display the capture.
(iii)Go down the packet list and update the names IF the '-n' flag was
not given. The user can browse packets as usual, but sees the ip only
names progressly changing to resolved names.
This change I think would help newbies, like me, a lot. Before I read
this email, I wondered why ethereal was so slow.
-Kervin
Guy Harris wrote:
>
> > I have a simple question. One of my clients needed me to do a weekend
> > capture at their site. The capture is quite large, about 84.1 meg. When I
> > load it into ethereal either on my linux box or my win2k box it hangs it
>
> That probably means that the capture includes IP addresses that, when
> your machine tries to resolve them, cause your machine's
> IP-address-resolution code to take a long time to do so (or causes them
> to try to talk to an unresponsive DNS server, so that it takes a long
> time to time out - or perhaps the attempts fail, with "no such host",
> quickly, and Windows' host name resolver tries NBNS after that; NBNS
> IP-address-to-hostname resolutions involve, as I remember, sending an
> NBNS "Node Status Request" packet to the IP address and waiting for an
> NBNS "Node Status Reply" containing NBNS names, and if that host doesn't
> respond, that could take a while).
>
> I think the Windows version of the code in Ethereal doesn't do its own
> "fast timeout" to give up on those resolution attempts after a few
> seconds (the mechanism used in UNIX depends on the UNIX signaling
> mechanism, so it'd have to be redone for Windows), so attempts to look
> up host names that aren't in DNS could take a while.
>
> As the capture was at the client's site, I could easily imagine that
> there are IP addresses in the capture that aren't in a DNS server
> accessible to the outside world.
>
> You will also get delays on Linux, but, as Linux
>
> 1) is UNIX-compatible, and therefore can use the "fast timeout"
> in Ethereal's lookup code;
>
> 2) doesn't do NBNS resolution, normally (I guess somebody could
> write an NBNS-resolution mechanism and plug it into the name
> service switch, but I don't think anybody's done that);
>
> the delays won't be as bad.
>
> As such, the first thing I'd try would be to turn off IP-address-to-name
> resolution when loading the capture; either run Ethereal with the "-n"
> flag, or, if you're opening the file with the "File->Open" menu item
> rather than specifying it on the command line, disable network name
> resolution by un-selecting the "Enable network name resolution" checkbox
> in Ethereal 0.8.19, or the "Enable name resolution" checkbox in older
> versions.
>
> > or makes it really slow. I increased the virtual memory on both boxes
> > (yes i know it is called something different on the linux box),
>
> I assume that means "increased the amount of swap space available"; if
> so, running out of swap space probably means that attempts to allocate
> memory will fail, which won't cause Ethereal to hang, it'll cause
> Ethereal to abort. That's probably not your problem.
>
> _______________________________________________
> Ethereal-users mailing list
> Ethereal-users@xxxxxxxxxxxx
> http://www.ethereal.com/mailman/listinfo/ethereal-users
