Wireshark mailing list archives
Re: Memory consumption in tshark
From: Evan Huus <eapache () gmail com>
Date: Thu, 29 Aug 2013 11:17:26 -0400
On Thu, Aug 29, 2013 at 11:07 AM, Dario Lombardo < dario.lombardo.ml () gmail com> wrote:
On Thu, Aug 29, 2013 at 4:35 PM, Evan Huus <eapache () gmail com> wrote:Basically, but it's also more. If your capture contains a DNS packet resolving a name in a certain way, and the system name resolver gives a different answer, we prefer the DNS packet in the capture (since presumably the capture was on some local network where that name resolves differently). For this reason we can't just drop old cache entries unless name resolution is disabled completely.That's really interesting. This means that if a DNS packet with a fake resolution is got, it can pollute the "cache".
Yes. The assumption is that if the in-capture DNS and the system resolver disagree, the capture was done on some local network with its own private DNS where certain names resolve specially. For example, if I do a capture on my local network and I ping myserver1 (which resolves to a 192.168 address) then Wireshark will correctly resolve that ping as long as it caught the DNS exchange as well.
I've triggered this behaviour in the attached pcap file. It appears that I'm pinging google (in my svn wireshark), while actually I'm pinging a private addres :).
It can certainly be abused, but the real IP is always available and it's never been a problem thus far in practice :) ___________________________________________________________________________
Sent via: Wireshark-dev mailing list <wireshark-dev () wireshark org> Archives: http://www.wireshark.org/lists/wireshark-dev Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev mailto:wireshark-dev-request () wireshark org ?subject=unsubscribe
___________________________________________________________________________ Sent via: Wireshark-dev mailing list <wireshark-dev () wireshark org> Archives: http://www.wireshark.org/lists/wireshark-dev Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev mailto:wireshark-dev-request () wireshark org?subject=unsubscribe
Current thread:
- Re: Memory consumption in tshark, (continued)
- Re: Memory consumption in tshark Dario Lombardo (Aug 28)
- Re: Memory consumption in tshark Evan Huus (Aug 28)
- Re: Memory consumption in tshark Dario Lombardo (Aug 28)
- Re: Memory consumption in tshark Evan Huus (Aug 28)
- Re: Memory consumption in tshark Evan Huus (Aug 28)
- Re: Memory consumption in tshark Dario Lombardo (Aug 29)
- Re: Memory consumption in tshark Evan Huus (Aug 29)
- Re: Memory consumption in tshark Dario Lombardo (Aug 29)
- Re: Memory consumption in tshark Evan Huus (Aug 29)
- Re: Memory consumption in tshark Dario Lombardo (Aug 29)
- Re: Memory consumption in tshark Evan Huus (Aug 29)
- Re: Memory consumption in tshark Anders Broman (Aug 29)
- Re: Memory consumption in tshark Anders Broman (Aug 29)
- Re: Memory consumption in tshark Evan Huus (Aug 29)
- Re: Memory consumption in tshark Dario Lombardo (Aug 30)
- Re: Memory consumption in tshark Anders Broman (Aug 29)