Phil Wood wrote: > > > Gilbert Ramirez <[EMAIL PROTECTED]> is suggesting DNS records to > accompany the data in a new tcpdump file format. If this becomes a reality, > PLEASE make it an optional feature (alternate reality). There is nothing
Yes, they would be optional. > quite so BAD as doing DNS address to name lookups while capturing packets. That's true. I never intended for the lookups to be done concurrently. Remember, I'm describing the file format, not the tool implementation. And many different tools use the libpcap file format, not just tcpdump. I envision a capture taking place, and *if you want*, a tool processing the packets and storing the name-to-address mappings in the/a file. > each instance of a tcpdump session for those that need it. But, now, I'm > not talking TCPdump. Correct. Like I said, this is the file format, used by tcpdump, Ethereal, and any other packet analyzer that wants to. BTW, I'm coming at this from the Ethereal view point, as that's the tool I work on. That's probably why I didn't spell it out clearly, but ethereal's capture mechanism can run in two phases; the 1st phase captures packets (like "tcpdump -w") and the 2nd phase analyzes the packets, all within the same interactive session. Thus, during the 2nd phase, one can have the luxury of doing DNS lookups, since the capture is already complete. > If you truly want to lookup each address in dns for the reason that it might > change moment to moment, than that leaves out caching the name, so in essence, That's not what I'm after. Different users have different needs. I don't care if the DNS entry changes *during* a capture session, but I *do* care if the DNS entry changes *after* my capture session. If another user doesn't care about DNS entries changing, then they don't have to store the mappings. I save capture files for a long time; when I look at them months later, I'd like to see the original DNS mappings. Actually, I *really* had the need for this when I worked in an I.T. deparment a few years ago. I made many traces of test machines, whose DNS entries would disappear after the testing was done and the test machines removed. But I kept the capture files to refer to. > for each packet you will add a query and response udp packet, thus tripling > the size of your tcpdump file. If you do go ahead with this crazy scheme, Again, I'm not advocating that tcpdump do DNS lookups during a capture, whether you want them or not. > remember to not lookup your own sensor's names and those of the servers you > end up sending the query to. BTW, it's even crazier. Notice I mentioned "name resolution records", or as Guy said, "name-to-address mappings." That is, besides DNS, it includes MAC-to-name mappings, IPX network-to-name mappings, and anything else that the packet analyzer can handle. Ethereal supports these different name-to-address mappings. --gilbert - This is the TCPDUMP workers list. It is archived at http://www.tcpdump.org/lists/workers/index.html To unsubscribe use mailto:[EMAIL PROTECTED]?body=unsubscribe
