Ask Your Question
0

How to resolve a large list of IP addresses?

asked 2021-07-08 14:53:44 +0000

neverxxsleep gravatar image

Hi. I have files with a lot of captured traffic which I want to analyse. But when I use Wireshark, turning on "Resolving addresses" it is working very slow, program starts lagging, etc. So I can't to analyse a list of Endpoints where I was connecting.

So I supposed I should try to resolve IP addresses in another way. I want to copy all IPs from Statistics -> Endpoints -> IPv4 and resolve this list in any different ways. I guess it should be much faster (because I already tried to analyse my dumps in another PC, another system and it is still lagging so much) and more efficient. So, could you please give a hint how could I export all Endpoints IPv4 addresses and resolve it as fast as possible.

edit retag flag offensive close merge delete
add a comment

1 Answer

Sort by ยป oldest newest most voted
0

answered 2021-07-08 15:33:51 +0000

grahamb gravatar image

updated 2021-07-08 15:36:36 +0000

To get the IPs, use tshark with the -z endpoints,<type> option, setting type appropriately, e.g. "ip" for IPv4 addresses. You'll also need the -q and -n flags to suppress normal output and disable name resolution respectively, e.g.

 tshark -r mycapture.pcap -q -n -z endpoints,ip

You may find that using tshark you can enable name resolution and the load won't be too bad by removing the -n option.

See the tshark man page for all the -z endpoints,... options.

edit flag offensive delete link more

Comments

Thank you! It helped me so much. It is exporting and resolving much faster than earlier. But could you please prompt me what can I do with not resolved IPv4 addresses? Are there any methods so I could upload a list of IP addresses that not resolved (maybe there any programs or sites) and get it resolved? I am fully newbie in this, and I find it difficult to understand something from documentation. It's great that Wireshark has such pretty good support :)

neverxxsleep gravatar imageneverxxsleep ( 2021-07-08 22:55:38 +0000 )edit

Wireshark uses a resolver library, c-ares to resolve IP addresses to names and it will use the DNS servers set in the Name Resolution preferences. I think that if that list is empty it uses the host DNS config to find DNS servers.

If IP's can't be resolved then either the query is being sent to the wrong DNS servers (i.e. the IP's are internal (non-public) so you need to use an internal DNS server or there is indeed no DNS reverse record for them.

Can you give an example of one IP that doesn't resolve?

grahamb gravatar imagegrahamb ( 2021-07-09 07:51:45 +0000 )edit
add a comment

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Question Tools

1 follower

subscribe to rss feed

Stats

Asked: 2021-07-08 14:53:44 +0000

Seen: 550 times

Last updated: Jul 08 '21

Copyright Wireshark Foundation, 2017-2023 Content on this site is licensed under a Creative Commons Attribution Share Alike 3.0 license.
about | faq | help | privacy policy | terms of service
Powered by Askbot version 0.10.2