[...]
> Presumably, if pcap_compile_ex() or pcap_compile_nonameres() or whatever
> were to disable name resolution, it would treat *all* host names as failing
> to resolve, so
>
> host www.example.com
>
> would fail to compile. This means, of course, that the pre-test would
> always fail unless you use IP addresses instead of host names.
>
> Wireshark's capture filter text box checks the syntax of the filter, showing
> a red background if it doesn't compile and a green background if it does; it
> runs the check in a separate thread and, until the thread completes doing
> the name resolution, the background is yellow, meaning "I don't know yet
> whether this is valid".
Well, yes, but something else applies even without a separate function to avoid
the timeout.
As far as I understand in this case, if one really must use hostnames in the
filter expression (for instance, if the A/AAAA addresses change often or when
there are multiple software instances and each of them gets a different
response from the resolver), pre-testing without DNS is simply impossible. If
it is more important to be able to pre-test without DNS, the filter must be
changed to use no hostnames.
--
Denis Ovsienko
_______________________________________________
tcpdump-workers mailing list
tcpdump-workers@lists.tcpdump.org
https://lists.sandelman.ca/mailman/listinfo/tcpdump-workers
