Ask Your Question

Does wireshark account for Adjusted host files? [closed]

asked 2020-05-14 13:52:27 +0000

I have a system I am blocking specific IP addresses using the hosts file in windows, however wireshark shows the a connection being attempted to that IP address. I can't seem to see where it is resolving to.

Ex: Hosts file shows:

Ip address doesn't resolve in any browser, however wireshark will show the call being made but not where it resolves to. unless I'm missing something.

edit retag flag offensive reopen merge delete

Closed for the following reason the question is answered, right answer was accepted by Ka0sDem0n
close date 2020-05-14 15:28:55.675812

1 Answer

Sort by ยป oldest newest most voted

answered 2020-05-14 14:13:31 +0000

grahamb gravatar image

I don't think you understand what the hosts file does, it's for resolution of hostnames to IP addresses, it does not map IP addresses to other IP addresses.

When applications attempt to connect to a remote host, e.g., that hostname must be resolved to an IP address. Depending on the application, it may make a lookup of the hostname in the hosts file and if found the IP address for that hostname is returned.

Also note your format is incorrect for a Windows host file, if you wanted to redirect to you would use

that is <resolved IP> < host name>

edit flag offensive delete link more


You are correct, when I tested this previously it had the intended impact on the system, and I couldn't contact the remote host. I need to find a solution to stop an application making a call to a remote IP address. I may have to just do this through the built in firewall.

Ka0sDem0n gravatar imageKa0sDem0n ( 2020-05-14 14:45:35 +0000 )edit

You could add a null route for the target address, e.g. using an elevated prompt:

route add <targetIP> <IP of your gateway> if 1

where <IP of your gateway> is your default gateway, usually your router. If you want to make this permanent over reboots, then add -p, .e.g route -p add ....

To delete the route use:

route delete <targetIP>
grahamb gravatar imagegrahamb ( 2020-05-14 15:08:43 +0000 )edit

Could I replace <IP of your gateway> with '' ? I would like it back to local host to not cause any potential networking issues with client networks.

Ka0sDem0n gravatar imageKa0sDem0n ( 2020-05-14 15:17:52 +0000 )edit

No. Note due to the mask defaulting to only the specific targetIP will be affected on the machine you have added the route to. If you examine the route after adding it you'll see that if 1 is

grahamb gravatar imagegrahamb ( 2020-05-14 15:23:04 +0000 )edit

Also note that this question and the subsequent conversation is off-topic for this site as it has nothing to do with Wireshark

grahamb gravatar imagegrahamb ( 2020-05-14 15:26:52 +0000 )edit

Question Tools

1 follower


Asked: 2020-05-14 13:52:27 +0000

Seen: 493 times

Last updated: May 14 '20