Ask Your Question
0

Does wireshark account for Adjusted host files? [closed]

asked 2020-05-14 13:52:27 +0000

Ka0sDem0n gravatar image

I have a system I am blocking specific IP addresses using the hosts file in windows, however wireshark shows the a connection being attempted to that IP address. I can't seem to see where it is resolving to.

Ex: Hosts file shows:

64.233.185.102 127.0.0.1

Ip address doesn't resolve in any browser, however wireshark will show the call being made but not where it resolves to. unless I'm missing something.

edit retag flag offensive reopen merge delete

Closed for the following reason the question is answered, right answer was accepted by Ka0sDem0n
close date 2020-05-14 15:28:55.675812

add a comment

1 Answer

Sort by ยป oldest newest most voted
0

answered 2020-05-14 14:13:31 +0000

grahamb gravatar image

I don't think you understand what the hosts file does, it's for resolution of hostnames to IP addresses, it does not map IP addresses to other IP addresses.

When applications attempt to connect to a remote host, e.g. www.wireshark.org, that hostname must be resolved to an IP address. Depending on the application, it may make a lookup of the hostname in the hosts file and if found the IP address for that hostname is returned.

Also note your format is incorrect for a Windows host file, if you wanted to redirect www.wireshark.org to 127.0.0.1 you would use

127.0.0.1    www.wireshark.org

that is <resolved IP> < host name>

edit flag offensive delete link more

Comments

You are correct, when I tested this previously it had the intended impact on the system, and I couldn't contact the remote host. I need to find a solution to stop an application making a call to a remote IP address. I may have to just do this through the built in firewall.

Ka0sDem0n gravatar imageKa0sDem0n ( 2020-05-14 14:45:35 +0000 )edit

You could add a null route for the target address, e.g. using an elevated prompt:

route add <targetIP> <IP of your gateway> if 1

where <IP of your gateway> is your default gateway, usually your router. If you want to make this permanent over reboots, then add -p, .e.g route -p add ....

To delete the route use:

route delete <targetIP>
grahamb gravatar imagegrahamb ( 2020-05-14 15:08:43 +0000 )edit

Could I replace <IP of your gateway> with '127.0.0.1' ? I would like it back to local host to not cause any potential networking issues with client networks.

Ka0sDem0n gravatar imageKa0sDem0n ( 2020-05-14 15:17:52 +0000 )edit

No. Note due to the mask defaulting to 255.255.255.255 only the specific targetIP will be affected on the machine you have added the route to. If you examine the route after adding it you'll see that if 1 is 127.0.0.1

grahamb gravatar imagegrahamb ( 2020-05-14 15:23:04 +0000 )edit

Also note that this question and the subsequent conversation is off-topic for this site as it has nothing to do with Wireshark

grahamb gravatar imagegrahamb ( 2020-05-14 15:26:52 +0000 )edit
add a comment

Question Tools

1 follower

subscribe to rss feed

Stats

Asked: 2020-05-14 13:52:27 +0000

Seen: 536 times

Last updated: May 14 '20

Related questions

Only host name in "addr (resolved)" columns

Wireshark portable v.2.4.3, location of the host file

hosts file manager

How does tshark read files with dns entries saved with -H?

It seems host does not receive segment 33 but it receives 32 and 34. This is related to TCP protocol. Is it because it utilizes 33 for ACK on the other host?

Custom Hosts file with IP range?

Host conversations - IP or TCP

Host name File Edit