>>>>> "Phil" == Phil Wood <[EMAIL PROTECTED]> writes:
>> Do we need to add them to the file, or would having a separate file with
>> name-to-address mappings (as snoop and Microsoft Network Monitor do) be
>> sufficient?
Phil> Gilbert Ramirez <[EMAIL PROTECTED]> is suggesting DNS records to
Phil> accompany the data in a new tcpdump file format. If this becomes a reality,
Phil> PLEASE make it an optional feature (alternate reality). There is nothing
Phil> quite so BAD as doing DNS address to name lookups while capturing packets.
Phil> Unless, of course, you are NOT interested in capturing packets. Most of
Phil> the packets of interest have addressess with no names. Consequently, while
Phil> you are timing out on your DNS query, 100,000+ packets get dropped.
Phil> You might want to add an option to do an SMTP connect to see if the system
has
Phil> a name, and while your at it, a WHOIS on the address. Couple all that
Phil> information together while your capturing packets. NOT. I'd argue that
Phil> postprocessing could include namelookup and create a parallel database for
Phil> each instance of a tcpdump session for those that need it. But, now, I'm
Phil> not talking TCPdump.
I would prefer to have it in the same file.
I do not suggest that it should be done in real time, but I don't see why
one has to carry two files around the place. They can be added in as a
post-process step.
] ON HUMILITY: to err is human. To moo, bovine. | firewalls [
] Michael Richardson, Sandelman Software Works, Ottawa, ON |net architect[
] [EMAIL PROTECTED] http://www.sandelman.ottawa.on.ca/ |device driver[
] panic("Just another NetBSD/notebook using, kernel hacking, security guy"); [
-
This is the TCPDUMP workers list. It is archived at
http://www.tcpdump.org/lists/workers/index.html
To unsubscribe use mailto:[EMAIL PROTECTED]?body=unsubscribe
