On Thu, Nov 22, 2001 at 04:11:59AM -0800, Matthew and Molly Kidd wrote:
> I'm running ethereal 0.8.20 under NT
Then you run the risk of slow name resolution.
On Windows, converting IP addresses to names involves, among other
things, doing a DNS lookup and, if that fails (e.g., because the DNS
server being queried doesn't know the name corresponding to the IP
address in question), doing a NetBIOS-over-TCP name service reverse
lookup.
Unfortunately, as the NetBIOS Name Service protocol has no reverse
lookup query, that can only be done by sending a NetBIOS Name Service
"node status request" to the IP address in question, and waiting for a
reply.
If the reply comes back, the OS's IP-address-lookup code can get the
name from the reply.
If no reply comes back, the OS's IP-address-lookup code has spent a
significant amount of time waiting for the reply before giving up.
> Granted name resolution takes some time. But the sort of thing I'm looking
> at is a simple 500 packet HTTP session that involves no more than say 10
> distinct IP addresses. I would expect that all 10 IP addresses could be
> resolved in a couple of seconds at most based on how quickly nslookup
> returns an answer from the LameDOS command line (well under a second).
"nslookup" does only a DNS lookup, not a NetBIOS lookup.
> My speculation is that ethereal is doing a separate name resolution for
> each address in each packet instead of first determining the distinct set
> of IP addresses and just doing name resolution for those.
"Instead" is the wrong word to use here. Those are not the only
alternatives available.
Ethereal does neither of those; instead, it does a name resolution the
first time it sees an IP address, and remembers the result of the name
resolution - even if it's a negative result, i.e. even if it got back no
answer. (This is different from determining the set of IP addresses
and, after doing that, looking them all up.)