Re: sec-macof.pcap take ages to load on WireShark 1.4.9 on MacOS Lion

[Guy Harris <guy () alum mit edu>]

On Oct 26, 2011, at 1:06 PM, Stephen Fisher wrote:

> On Tue, Oct 25, 2011 at 10:29:42PM +0100, Marco Zuppone wrote:
>
> > thanks! I found out that excluding the Transport Name Resolution the 
> > file loads in half second. Before was taking 5 minutes. The strange 
> > fact is that Wireshark 1.4.9 under XP loads the file in seconds 
> > regardless the Transport Name Resolution option.
>
> This sounds like bug #289:
>
>  https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=289

5 minutes >> 14 seconds and, as indicated in that bug, we don't scan through the OS's entire services database any 
more.  I'm not sure when that was done.  I don't think it's the same problem as bug 289 - for one thing, 

If it's doing a lot of getservbyport() calls, that would be slower, especially on a system that does it by sequentially 
scanning the /etc/services file.  From a quick look at Libinfo-392, which is the version of Libinfo in Lion 10.7.2, 
that appears to be how it does it (at least to start with; dunno whether it asks opendirectoryd to check with, say, NIS 
or LDAP).  I don't know what other UN*Xes do (the original BSD version sequentially scanned /etc/services, but at least 
some of the /etc files for getXXXbyYYY were changed to have an index to avoid sequential scans), nor what Windows does.

Then again, from a quick look at Libinfo-330.10, which is the version of Libinfo in Snow Leopard 10.6.8, it behaves the 
same way, so "Because it's Lion" might be a simple explanation, but it's likely to be an incorrect explanation....
___________________________________________________________________________
Sent via:    Wireshark-users mailing list <wireshark-users () wireshark org>
Archives:    http://www.wireshark.org/lists/wireshark-users
Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
             mailto:wireshark-users-request () wireshark org?subject=unsubscribe