Ethereal-dev: [Ethereal-dev] Re: [Ethereal-users] RE: Ethereal DNS Traffic Storm - Clarified P
David,
I have no experience with the Windows version of ethereal, but if
you look at the Help/About Ethereal window, can you tell me if
it is built with or without ADNS, a library for doing DNS queries?
Best regards
Michael
On 26. Mar 2004, at 19:25 Uhr, Wescott, David H wrote:
Clarified Post:
Just to clarify, this is not normal DNS traffic. Consider that the
rate is 1000+ frames per second, and that this traffic is going to all
configured DNS servers simultaneously. In addition, these are not the
expected DNS queries carried by UDP. These are TCP SYN frames to port
53. When the DNS server responds with a SYN ACK, the Ethereal client
aborts the connection with a TCP RESET. This traffic is continuous
until Ethereal is aborted, and no DNS information is gained, since all
these port 53 connection attempts are unsuccessful. In one case, an
impacted user left their machine running in this state for 3 hours and
this high rate of DNS traffic was constant for the entire time. We
have observed that this condition occurs during display and not
capture, and that it will push the client CPU to 100%. We believe
that this is some type of bug, and not normal DNS traffic. This
condition only occurs when Ethereal is used, and of course only if DNS
lookups are enabled. However, we would like to get this corrected, so
that DNS lookups can be used.
Response From List:
Yes. If you have the Network name resolution enabled while you capture
or while you open a file it will cause lots of DNS requests. You can
disable the network name resolution and avoid this problem. See the
attached JPG files for images of the two places you need to disable
the DNS settings. This is captured from the Windows XP 10.2 version of
the product.
Original Post:
We are seeing occasional DNS traffic storms that have been isolated to
Ethereal. We have confirmed cases with versions 0.9.14 and 0.9.15, as
well as with the current version of 0.10.2. The impacted devices were
running Windows operating systems, but we do not know if that is a
criteria. We did several searches of the Ethereal mailing lists, but
could not find any current reference to this issue.
We have seen as high as 1,132 frames-per-second of DNS related traffic
from a single Ethereal client. We were able to capture a sample trace
of an Ethereal DNS traffic storm. There were a total of 547,226
frames of DNS related traffic in ~8 minutes (~36 Meg of network
traffic). In summary, the Ethereal client PC sent a total of 250,461
DNS connection attempts (TCP port 53) to 5 different DNS servers in ~8
minutes. There were ~50K connection attempts per DNS server in the
sample trace. This traffic continued until the Ethereal application
was aborted. The client PC also went to 100% CPU while the DNS
traffic storm was occurring. The 3 valid DNS servers each answered as
expected with a TCP SYN ACK. The client then responded to these TCP
SYN ACK frames with a TCP RST (Reset) aborting the connection attempt.
Is anyone aware of this issue? Please advise if you can provide some
insight or direction regarding correcting this issue. We posted this
yesterday to the developers list, but so far no one has responded.
_______________________________________________
Ethereal-users mailing list
Ethereal-users@xxxxxxxxxxxx
http://www.ethereal.com/mailman/listinfo/ethereal-users
