[Winpcap-users] can not get any captured package when

Tue Aug 12 13:10:10 GMT 2008

-----BEGIN PGP SIGNED MESSAGE-----
Hash: RIPEMD160

Lin George wrote:
> For the name resolve library, I have looked at getaddrinfo function,
>  http://msdn.microsoft.com/en-us/library/ms738520.aspx
> 
> just want to make a quite confirm with you since I am new to this 
> function, you mean the 4th out parameter res will return a list of IP
> for the same name? Not necessary to be 3 always?

Right.  It's three addresses in the case of Google (when I ask anyway),
but the list can be any length.  You find the last item by following the
ai_next pointers in each addrinfo structure until you get to an addrinfo
whose ai_next pointer is NULL (standard linked list).  Most programs
will only take the first structure, though, so most programs don't care
about how the list is set up.

> And it is client application (which utilizes getaddrinfo)'s
> responsibility to rotate to use the IP address list to make it better
> load balanced?

No.  The list will come back from getaddrinfo() in a different order
each time the program asks -- if the program simply chooses the first
item off the list, that should be enough for some decent load balancing.

>> That also may explain why it never changes in your environment: 
>> Your DNS server isn't returning the expected data.  It's returning 
>> your proxy address (and it's probably returning that single address
>> no matter what name you ask for).
> 
> I think in my network environment, it is the proxy which does the 
> real DNS resolution work?

When a proxy is configured in your web browser, this is true.

But it appears that your network's DNS server is returning "wrong" DNS
responses for all out-of-network names.  I'm not sure why, but I suspect
it has something to do with transparent proxying or something like that
- -- making the proxy server act as a proxy even if the browser isn't
expecting it to.  If that's what's happening, then yes, the proxy will
do another DNS transaction to get the real address for the name.

> The gethostbyname function is also valid on Windows, but when 
> compared with getaddrinfo, gethostbyname could only return one IP 
> address for a name, while getaddrinfo could return a list of IP 
> address?

Not exactly.  gethostbyname's hostent structure contains an h_addr_list
member that's an array of addresses.  Each address's length (in bytes)
is the value of h_length.  So to find the first address, copy h_length
bytes from h_addr_list[0] into the appropriate address type, and to find
each additional address, increment the zero until you get a NULL.

> From the study of your reply, I think even if we call getaddrinfo or 
> gethostbyname, DNS server may or may not be used, because the two 
> APIs may cache for values for some time? Correct?

They may cache the results, yes.  They don't have to though.  (And even
if they do, they might still rotate the items in the list.)

> If you have any further documents or sample codes which regarding to 
> how the local name resolution library works and how they works with 
> local DNS server, please refer some. :-)

Just experience writing programs and working with packet captures...
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.7 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFIoYuxS5vET1Wea5wRA2zcAJ9ZdUy1kbXMvO34PumBnB1yXPkl4ACglO/5
7rG/SNd5F1TwHd6OPe40UU0=
=bsnX
-----END PGP SIGNATURE-----