ANNOUNCEMENT: Live Wireshark University & Allegro Packets online APAC Wireshark Training Session
July 17th, 2024 | 10:00am-11:55am SGT (UTC+8) | Online
Wireshark logo

Ethereal-users: Re: [Ethereal-users] display filter problem...

Note: This archive is from the project's previous web site, ethereal.com. This list is no longer active.

Date Prev · Date Next · Thread Prev · Thread Next
Date Index · Thread Index · Other Months · All Mailing Lists
From: Jaap Keuter <jaap.keuter@xxxxxxxxx>
Date: Fri, 20 Jan 2006 09:23:17 +0100 (CET)

On Fri, 20 Jan 2006, Guy Harris wrote:

> Jack Jackson wrote:
> > At 03:14 PM 1/19/2006, Gerald Combs wrote:
> >> Jack Jackson wrote:
> >> >
[snip]
> There are at least a couple of possibilities here:
>
> 	1) don't check the filter's validity after every change to the filter
> field - just do it if N seconds have passed since the last change to the
> filter field, for some presumably-low value of N;
>
> 	2) disable name-to-address resolution when compiling the filter to test
> whether it's valid - just "resolve" everything to 127.0.0.1 or something
> such as that.

Number two gets my vote! Resolve it when it's time to apply the filter.

> 1) still leaves the possibility of a delay, but does support checking
> the validity of items being compared against IP addresses.  2) won't get
> delayed, but won't fully check the validity of the expression.
>
> > There is an issue here for OSes that have NetBIOS over TCP enabled
> > (probably only Windows) - on my XP machine each unsuccessful name
> > resolution tries three ways:  DNS query, then a WINS query, then several
> > NetBIOS Name Service broadcasts (the delays come from waiting for a
> > response to the broadcasts).  Turning off NetBIOS over TCP gets rid of
> > the delays, and I suspect that is the only viable solution.
>
> *If* the machine can be configured as a P node, that should turn off the
> broadcasts, but that might have other undesired effects.

Yep, it does.

> This is a more general problem - NBT name lookup causes delays in other
> places (e.g., mapping IP addresses to host names), at least if you're
> not using ADNS (ADNS doesn't support NBT, just DNS).
>
> It's also part of a broader problem; as noted in other mail in this
> thread, people have seen it on UN*Xes as well - it's just that NBT makes
> it worse.
>
> We could conceivably use ADNS for name-to-address lookup as well, which
> would eliminate NBT lookups for those.  It wouldn't fix problems caused
> by slow DNS resolution or dead DNS servers.

So route name resolving through ADNS (if available). Name resolving will
always depend on the way the DNS performs, apart from a hosts file there's
no way around that.

Thanx,
Jaap
Wireshark logo footer

© Wireshark Foundation · Privacy Policy

Facebook·Mastodon·Twitter·YouTube