Home page logo

wireshark logo Wireshark mailing list archives

Re: Memory consumption in tshark
From: Anders Broman <anders.broman () ericsson com>
Date: Thu, 29 Aug 2013 15:20:33 +0000

From: wireshark-dev-bounces () wireshark org [mailto:wireshark-dev-bounces () wireshark org] On Behalf Of Dario Lombardo
Sent: den 29 augusti 2013 17:07
To: Developer support list for Wireshark
Subject: Re: [Wireshark-dev] Memory consumption in tshark

On Thu, Aug 29, 2013 at 4:35 PM, Evan Huus <eapache () gmail com<mailto:eapache () gmail com>> wrote:
Basically, but it's also more. If your capture contains a DNS packet resolving a name in a certain way, and the system 
name resolver gives a different answer, we prefer the DNS packet in the capture (since presumably the capture was on 
some local network where that name resolves differently). For this reason we can't just drop old cache entries unless 
name resolution is disabled completely.

That's really interesting. This means that if a DNS packet with a fake resolution is got, it can pollute the "cache".
I've triggered this behaviour in the attached pcap file. It appears that I'm pinging google (in my svn wireshark), 
while actually I'm pinging a private addres :).

We should probably have a ****load of parameter to tune the behavior of address resolution :) As there seems to be many 
opinions on the subject.
Sent via:    Wireshark-dev mailing list <wireshark-dev () wireshark org>
Archives:    http://www.wireshark.org/lists/wireshark-dev
Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev
             mailto:wireshark-dev-request () wireshark org?subject=unsubscribe

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]