Ask Your Question
0

How should I correctly use "Resolving names"?

asked 2021-06-24 11:22:01 +0000

neverxxsleep gravatar image

updated 2021-06-24 13:06:51 +0000

Hello. I tried different settings of my wireshark (like this and this). But when I am opening file with my captured 150k packets, I want to check statistics with "Endpoints". But I cannot do it normally because it is lagging. I think my PC is good enough to solve this task, so I guess the problem is in my settings.

When I open "Endpoints", sort it by value, and then tick the box "Resolving names" - it starts lagging, and after 1-2 seconds a tick from the box disappears, so I need to click every second and try to see any resolved ip adresses.

Are there any ways to fix it, to do it automatically so that I wouldn't need to click this tick every second??

edit retag flag offensive close merge delete

Comments

What is your Wireshark version?

Some of your questions\statements are confusing, possibly down to language translation issues:

  • In Endpoints you "sort it by value", do you mean Address?
  • In the Endpoints dialog, what tab are you using Ethernet\IP ...?
  • What is the checkbox "Resolving Names", do you mean "Name Resolution"?
grahamb gravatar imagegrahamb ( 2021-06-24 12:24:41 +0000 )edit

Version 3.4.6

I mean sort it by value of packets (ascending). I am using IPv4 tab. Yes, I meant "Name resolution". here is this tick-box

I would wish that when I go to the Endpoints it would automatically start Name resolution so I don't need clicking "Name resolution" every second, which makes program very laggy

neverxxsleep gravatar imageneverxxsleep ( 2021-06-24 13:06:21 +0000 )edit
add a comment

1 Answer

Sort by ยป oldest newest most voted
0

answered 2021-06-24 13:43:53 +0000

grahamb gravatar image

To resolve IP's to names requires looking up those names, they can come from a number of sources, a local file, a local DNS resolver (which may have some items cached) or another DNS resolver elsewhere.

Regardless of how it's done, anything other than a local file (or local cache) will take some time to recursively resolve the names to IP's and with many names, this will take some time, this is the reason the box is unchecked by default.

By default Wireshark will use an asynchronous internal DNS resolver (C-Ares) and allow up to 500 concurrent requests. This can be adjusted in the Preferences -> Name Resolution options.

More information about Name Resolution can be found in the User Guide.

edit flag offensive delete link more

Comments

Yes, but ...

after 1-2 seconds a tick from the box disappears

That sounds like a bug to me, one that could be reported on the Wireshark Issue Tracker. If the user selects Name resolution, then I think it's a reasonable expectation that it remain selected. In fact, this behavior is easily reproducible during a live capture. For now, I'd recommend not resolving IP addresses during a live capture but only after you've stopped capturing.

cmaynard gravatar imagecmaynard ( 2021-06-24 13:59:38 +0000 )edit

Statistics -> Conversations is similarly affected regarding the state of the Name resolution checkbox.

cmaynard gravatar imagecmaynard ( 2021-06-24 14:23:23 +0000 )edit

I wonder if the C-Ares run "completes" for the IP's captured so far so name res is disabled again.

grahamb gravatar imagegrahamb ( 2021-06-24 14:29:53 +0000 )edit

Open issue:
16303: Endpoint "name resolution" checkbox gets cleared on refresh screen

Chuckc gravatar imageChuckc ( 2021-06-24 15:37:19 +0000 )edit
add a comment

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Question Tools

1 follower

subscribe to rss feed

Stats

Asked: 2021-06-24 11:22:01 +0000

Seen: 333 times

Last updated: Jun 24 '21

Copyright Wireshark Foundation, 2017-2023 Content on this site is licensed under a Creative Commons Attribution Share Alike 3.0 license.
about | faq | help | privacy policy | terms of service
Powered by Askbot version 0.10.2