>Do we need to add them to the file, or would having a separate file with >name-to-address mappings (as snoop and Microsoft Network Monitor do) be >sufficient?
Gilbert Ramirez <[EMAIL PROTECTED]> is suggesting DNS records to accompany the data in a new tcpdump file format. If this becomes a reality, PLEASE make it an optional feature (alternate reality). There is nothing quite so BAD as doing DNS address to name lookups while capturing packets. Unless, of course, you are NOT interested in capturing packets. Most of the packets of interest have addressess with no names. Consequently, while you are timing out on your DNS query, 100,000+ packets get dropped. You might want to add an option to do an SMTP connect to see if the system has a name, and while your at it, a WHOIS on the address. Couple all that information together while your capturing packets. NOT. I'd argue that postprocessing could include namelookup and create a parallel database for each instance of a tcpdump session for those that need it. But, now, I'm not talking TCPdump. On any given weekday, I see something on the order of 50-70 Gigabytes of tcpdump file in a 24 hour period and that's just using a snaplen of 68 bytes. If I were doing dns lookups, I'd only add to the problem of storage, and cause massive quantities of packet loss. (I'm not losing packets at this time, but I see that coming real soon as our OC12 starts getting used.) If you truly want to lookup each address in dns for the reason that it might change moment to moment, than that leaves out caching the name, so in essence, for each packet you will add a query and response udp packet, thus tripling the size of your tcpdump file. If you do go ahead with this crazy scheme, remember to not lookup your own sensor's names and those of the servers you end up sending the query to. In the trenches, sniffing packets, -- Phil Wood, [EMAIL PROTECTED] - This is the TCPDUMP workers list. It is archived at http://www.tcpdump.org/lists/workers/index.html To unsubscribe use mailto:[EMAIL PROTECTED]?body=unsubscribe
