I opened it again in Ethereal, and this time I ran another copy of
Ethereal and captured the first Ethereal's traffic.
I saw that my system was only doing one lookup per address, not one
lookup per packet.
As it turns out, there were some other packets in the trace, and
Ethereal was doing its job properly!
It even cached failures.
Sorry for any false alarms!
Matt
> Is there a way to make Ethereal cache the addresses it has
already resolved?
It *does* include code to do that; that code even caches failures.
I loaded a trace of a udp flood, with 62,000+ packets with the same
source and destination address. Ethereal tried to resolve the
addresses for each and every packet, even though they were identical.
Are you certain of that? If it's not caching both successes and
failures, that's a bug.
Needless to say, it would have taken forever, so I canceled and
re-opened it with name resolution disabled. It opened in a matter of
seconds after that!
Note that the fact that disabling name resolution doesn't *ipso facto*
demonstrate that the problem is that it was trying to resolve the
address for each packet; it could only mean that one of them was very
slow to be resolved.
--
Matt Richard
Access and Security Coordinator
Franklin & Marshall College
P.O. Box 3003
Lancaster, PA 17604-3003
PH: 717-291-4157
FAX: 717-291-4196
e-mail: m_richard@xxxxxxxxx
