This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

“View Menu > Name Resolution > Resolve Name” doesn’t seem to work

0

My understanding from the documentation at http://www.wireshark.org/docs/wsug_html_chunked/ChUseViewMenuSection.html is that clicking "View Menu > Name Resolution > Resolve Name" should perform name resolution on the currently selected packet. This is, or would be, a very useful feature, as I typically don't want to turn on network name resolution to prevent the additional reverse DNS queries during a capture, for a couple reasons. But when I do find a packet of interest and I don't recognize one of the IP addresses inside then I'd like to be able to click on it and do some more investigation (like a reverse lookup, etc.).

When I select a packet and then click the "Resolve name" option, however, nothing seems to happen. The GUI doesn't update the selected packet and replace the IP addresses with FQDNs (even when I can just go to a command prompt and get the same FQDN with nslookup). I've tried changing the DNS server my OS points to, and I've tried resolving several different IP addresses and this option just doesn't seem to do anything. On a few occasions I noticed that when I click this option the first time within a capture I can see a single reverse lookup (usually for that packet's destination address, not the source, oddly) and then nothing else (even this behavior isn't reliably repeatable). No more attempts to resolve anything no matter how many times I click Resolve name or how many packets I try this on. I tried marking the packets, to see if that matters, it didn't. I tried updating to WinPcap 4.1.3 and a few different builds (64 and 32 bit) of Wireshark. I tried running Wireshark in a clean Virtual Machine running an older version of Windows. No change.

Am I doing something wrong here? Or is this a bug I should report? Thought I'd ask in case this is just my bad, before going to the Bugzilla. Thanks in advance.

asked 07 Apr '13, 07:21

poundonu's gravatar image

poundonu
11112
accept rate: 0%


3 Answers:

1

You're doing it correctly, but you're not looking in the right place for the results. "Resolve Name" does not change the display in the Packet List, only in the Packet Details pane. Expand the Internet Protocol header in the Packet Details pane and you will see the resolved domain names displayed next to the source and destination IP addresses. "Resolve Name" also resolves the MAC address OUIs at the same time.

Since you have to go into the Packet Details pane anyway, you can do this more quickly by using Wireshark's right-click functionality instead of the menu. Right-click anywhere in the Packet Details pane and select "Resolve Name."

If you want to see domain names in the Packet List, you'll have to turn on network name resolution instead of doing manual one-off resolutions.

answered 07 Apr '13, 11:51

Jim%20Aragon's gravatar image

Jim Aragon
7.2k733118
accept rate: 24%

0

You can get the precise behavior you're looking for from instructions over here: http://www.howtogeek.com/106191/5-killer-tricks-to-get-the-most-out-of-wireshark/

Essentially, you click Edit | Preferences, and enable DNS Resolution. The packets in your window will all update.

Cheers

answered 30 Dec '14, 12:42

kyrka's gravatar image

kyrka
1
accept rate: 0%

0

remove a 'capture filter' you might have previously established:-

-> Edit -> Configuration Profiles.

  • note the folder link that contains 'profile preferences'

  • In the 'Profiles' subfolder, using a text editor, edit the preferences file.

  • remove or '# comment' any 'capture filters' that you might have previously established.

answered 28 Mar '16, 20:17

rove's gravatar image

rove
62
accept rate: 0%

edited 28 Mar '16, 21:13