I guess you can argue that one until cows come home. The first packet has the MAC because it's probably the ARP... I'm 00:00:00:00:00:00 who-as a.b.c.d (source set, destination is broadcast).
Then somebody replies a.b.c.d is at xx:xx:xx:xx:xx:xx. Now you have the association. The piece translating a.b.c.d into www.xxx.org requires either sniffing a DNS query or ntop explicitly making one, and those happen asyncronously (and quite a bit later potentially). I would have to look up what the sequence is for NetBIOS. -----Burton > -----Original Message----- > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of > Markus Rehbach > Sent: Wednesday, February 25, 2004 3:51 PM > To: [EMAIL PROTECTED] > Subject: Re: [Ntop] New sorting routines in cvs - these are post 3.0pre1 > - TEST NOW OR HOLD YOUR WATER > > > Correction inline below, sorry > > > Wed Feb 25 22:00:24 2004 CMPFCTN_DEBUG: > setResolvedName(0x085ded50) 0 -> > > 3 ETHER - pbuf.c(664) Wed Feb 25 22:04:31 2004 CMPFCTN_DEBUG: > > setResolvedName(0x085ded50) 3 aether -> 6 192.168.11.240 - pbuf.c(3216) > > > > The first is the entry of the NetBIOS name broadcast, the > second entry is > > an entry generate at the moment I pinged that host. Curious in that way > > that the first broadcast packet contained the MAC, the IP-Adress and the > > name of the host. Why not a 6 at the first packet? <snipped > rest if line> > > Btw. is it not better to have the DNS resolution as 7 but the > NetBIOS name > res. as 6? And the IP-Address a 5 and for folks like me using the -n > parameter switching off both 6 and 7? > > _______________________________________________ > Ntop mailing list > [EMAIL PROTECTED] > http://listgateway.unipi.it/mailman/listinfo/ntop > _______________________________________________ Ntop mailing list [EMAIL PROTECTED] http://listgateway.unipi.it/mailman/listinfo/ntop
