[Gerald Combs <gerald@xxxxxxxxxxxx>]

Wescott, David H wrote:

> We have seen as high as 1,132 frames-per-second of DNS related traffic 
> from a single Ethereal client.  We were able to capture a sample trace 
> of an Ethereal DNS traffic storm.  There were a total of 547,226 frames 
> of DNS related traffic in ~8 minutes.  This was ~36 Meg of network 
> traffic, with an overall average rate of 1,132 packets-per-second.  In 
> summary, the Ethereal client PC sent a total of 250,461 DNS connection 
> attempts/// (TCP port 53)/ to 5 different DNS servers in ~8 minutes.  
> There were ~50K connection attempts per DNS server in this sample 
> trace.  This traffic continued until the Ethereal application was 
> aborted.  The 3 valid DNS servers each answered as expected with a TCP 
> SYN ACK.  The client then responded to these TCP SYN ACK frames with a 
> TCP RST/// (Reset)/ aborting the connection attempt.
>
> Is anyone aware of this issue?  Please advise so that we can get this 
> problem corrected.

If you go to Edit->Preferences->Name Resolution, is network name 
resolution enabled, and if so is concurrent DNS name resolution enabled? 
  Are there hundreds of thousands of unique IP addresses in the traffic 
that you're capturing?  If so, then this behavior is expected.

By default, Ethereal tries to resolve any IP addresses that it finds. 
If you're capturing a lot of unique IP addresses, then Ethereal will 
correspondingly generate a lot of DNS queries.  It keeps a local cache 
of host names, so each address should only be queried once per capture 
session.  I'm not sure what to make of the TCP connection attempts. 
We're using the ADNS library for concurrent name resolution; it sounds 
like it may have a bug.  ADNS uses the host's default name servers for 
resolution.  Do you have all five DNS servers configured on your system?

You can disable network name resolution from the Preferences dialog 
above, or by selecting View->Name Resolution->Enable for Network Layer.