Ask Your Question
0

How do Wireshark resolve addresses

asked 2018-01-05 20:56:58 +0000

swagluke gravatar image

updated 2018-01-05 20:59:39 +0000

So I'm a macbook user and have WireShark Version 2.41 installed. Under the Statistics options, WireShark keeps all the records of all the resolved address. (IPv4 and IPv6 to host names/website urls)

Could someone from the WireShark team please explain to me how this is being done? I'm super curious about the whole process since each ip address can host multiple domains. For example, Amazon AWS can host multiple websites on the same IP address. How does WireShark know exactly which host name/website is being accessed through the ip address at that exact moment?

Thanks in advance.

edit retag flag offensive close merge delete

Comments

Wireshark version 2.4.1 is a very old and obsolete version. If at all possible please upgrade to the current version.

grahamb gravatar imagegrahamb ( 2022-11-04 12:44:14 +0000 )edit
add a comment

1 Answer

Sort by ยป oldest newest most voted
0

answered 2022-11-03 11:38:09 +0000

webernetz gravatar image

updated 2022-11-04 12:43:11 +0000

grahamb gravatar image

Hey. As far as I know, there are various ways Wireshark does its name resolution for network layer addresses. Have a look at Preferences -> Name Resolution.

That is:

  1. "use captured DNS packet data for name resolution": here, if you have been using a single service from AWS (for example) which is hosted on an IP address, this binding will be displayed, since Wireshark has seen your DNS request for the actual service hostname and its corresponding IP addresses.
  2. use your system's DNS settings for name resolution: here, reverse DNS lookups (PTR records) for the IP addresses in question are made to your recursive DNS server. With this option being set, you're absolutely correct, that you won't get the name of the concrete service for AWS, but a generic name from Amazon, since such cloud providers do not set their PTR records to the name of each service (which would be hundreds!), but to something generic.

Hope that helps? Cheers Johannes

edit flag offensive delete link more
add a comment

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Question Tools

subscribe to rss feed

Stats

Asked: 2018-01-05 20:56:58 +0000

Seen: 751 times

Last updated: Nov 04 '22

Related questions

IPv4 Statistics -> IP Protocol Types

How can I get the flow count from a pcap file ?

Capture incoming packets from remote web server

How to set packet metadata in realtime?

Monitor device

Why would I be getting "LEN 1 (Malformed Packet)"... "(Malformed Packet: RTCP)" on UDP Packets

What is wrong with my internets?!

When/why would a device send a frame with ethertype 0x86dd (IPv6) but it's actually an IPv4 packet?

Statistics / Conversations / Name Resolution

How do I dissect multiple packets?

Copyright Wireshark Foundation, 2017-2023 Content on this site is licensed under a Creative Commons Attribution Share Alike 3.0 license.
about | faq | help | privacy policy | terms of service
Powered by Askbot version 0.10.2