> Why does tethreal do DNS lookups when I am just writing the packets to
> another file?
That's probably the wrong way to ask the question, as it could be read
as implying that Tethereal *always* does DNS lookups when writing
packets to a file.
The correct question is:
> tethreal -s2000 -r dump -w 1st10secs 'frame.time_relative <= 10'
>
> is much much slower than
>
> tethreal -nn -s2000 -r dump -w 1st10secs 'frame.time_relative <= 10'
>
> because it does DNS lookups.
"Why, when I'm using a read filter, does tethereal do DNS lookups?"
The answer is "because, if you're using a read filter, you're not *just*
writing the packets to another file, you're doing a *full dissection* of
the packets, in order to be able to evaluate the read filter; if '-n'
isn't specified, a full dissection includes looking up host names".
Some parts of a full dissection could, in theory, be made not to do host
name lookups if you're not generating readable text - which it shouldn't
be doing if you're doing the full dissection in order to evaluate a read
filter expression.
However, there are places where the dissector directly generates the
readable text; the name lookup couldn't be suppressed there, as the
dissector calls the name resolution code itself.
We could conceivably suppress the lookup if we're suppressing the text
generation; however, given that there's a workaround, namely specifying
"-n", I'm not going to give that a very high priority, given the number
of other backlogged projects I already have.