Writing resolved host names and discarded host names to flat files

If you set the NoNameResolution property to 0, the probe attempts to resolve the IP address for every trap that the probe receives.

Holding in memory details of all host names resolved for IP sources

The probe can hold in memory details of all the host names resolved for the IP source of every trap it receives. This reduces the network overhead that is otherwise incurred due to reported DNS queries. To specify the maximum size of the table in which the probe stores IP-host name pairs, use the HostnameTableSize property. If the table exceeds this size, the probe writes an error message to the log.

You can specify how long an ip-host name value pair stays in the table using the ActiveHostnameDuration property. When this length of time has elapsed since the probe last visited the element, it will be removed from the table held in memory and will be written instead to the flat file for discarded IP-host name pairs.

Processing alarms when the IP-host name table has reached its maximum size

The probe will stop parsing the active list at the list entry where it detects that the table is full.

The probe will not perform an instantaneous host name resolution for any traps received from new IP hosts and the IP will not be stored in the table. The relevant event tokens will carry numeric IP addresses.

Reading from the IP host flat file

When the probe starts, it reads the following flat file:

$OMNIHOME/var/Instance_active_iphost.list

Where Instance identifies the current running instance of the probe.

The Instance_active_iphost.list file contains a list of IP addresses and their corresponding host names. The probe uploads the IP address-host name pairs from the list into an internal table that it holds in memory. The probe ignores an IP address-host name pair if any of the following conditions apply:

  • The IP address is incorrectly formatted.
  • The IP address is not consistent with the setting of the Protocol property; for example, if Protocol is set to IPv4 the probe will ignore IPv6 addresses.

If a resolved host name exceeds 255 characters, the probe will truncate it, writing just the first 255 characters to the internal table.

Note: The probe does not query the DNS server to check whether the host name actually corresponds to the IP address. When you start the probe for the first time, you must ensure that the Instance_active_iphost.list file contains valid IP address-host name pairs and that all host names that you include are consistent with the DNS server, or are valid host names if they have not yet been updated in the DNS server. If no host name can yet be determined for a given IP, you can specify just the IP address for that host. The advantage of supplying IP addresses without host names is that the probe will make DNS queries for just those host names.

Specifying how frequently the probe performs a DNS query

To confirm the validity of the host name values associated with each IP address, the probe periodically queries the DNS server.

You can use the RefreshHostnameInterval property to specify the frequency (in minutes) with which the probe queries the DNS server and updates the host names for the IP addresses stored in memory.

If an IP node held in memory does not have a corresponding host name, and if during the next DNS query the probe manages to retrieve a host name from the DNS server, it will update the node with the resolved host name. If the DNS query fails for an IP node (whether or not it currently has a corresponding host name held in memory), the host name field for the node will remain as it is until the next DNS query attempt.

Hostname resolution policy during trap processing

If the trap’s IP address exists in the probe's internal table and it has a host name set for it, the probe will assign that host name to the event token.

If a trap’s IP is new to the internal table, the probe will send a DNS query for the IP’s hostname. It will then add the IP-host name pair into the internal table as long the table has not reached the limit specified by the HostnameTableSize property. When the internal table is full, the probe makes no DNS query for the IP.

If the IP's host name is empty (either because of an unsuccessful DNS query, or because the original host name value was not set), the probe will assign the IP address to both the Node token and the PeerAddress token.

Note: The IP address values that are assigned to Node and PeerAddress come from IPaddress event token and PeerIPaddress event token respectively. This value may or may not be the same IP address.

Processing idle IP nodes

When an IP node in the probe’s internal table has been idle for a period longer than that specified by the ActiveHostnameDuration, the probe writes the value of the IP address-host name pair to the following flat file:

$OMNIHOME/var/Instance_discarded_iphost.list

For example, if ActiveHostnameDuration is set to 20 minutes and an IP node was created at 1:08 PM, and if the node has not been referenced by the probe to get a resolved host name value to assign to a trap event token by 1:28 PM, then the probe deletes the node from the table and writes the IP address-host name value to the discarded list file. However, if the node was referenced by probe at 1:18 PM, its expiry time is reset to 1:38 pm.

If the probe receives a trap from an IP node that appears in the discarded list, the probe recreates the node in its internal table.

Writing details of the active IP nodes to the flat file on exit

When the probe exits, it writes the details held in its internal table to the following flat file:

$OMNIHOME/var/Instance_active_iphost.list

The probe writes one IP address-host name pair per line using the following format for each line:

ip_address hostname

Where ip_address is an IP address that the probe has attempted to resolve and hostname is the name of the host resolved for that IP address.

Note: If the host name for any of the IP addresses was unresolved, hostname will be absent.