How to resolve IPv6 addresses.
I am working to capture all the email traffic to my system to TS an issue with Thunderbird's email handling. I have multiple email accounts across many services. When I look at the WS Endpoints display (and in the captured trace) most of the IPv6 addresses are not resolved to a host name. (Yes, the Name resolution setting is enabled.)
The only one that is resolved is to py-in-f16.1e100.net. (Google Gmail I presume.) Why aren't the others and how do i configure my network or Wireshark to accomplish this?
Oh, I am using the following Capture Filter: tcp port 993 or tcp port 465. If there is a better way to filter this I'm all ears.
Thanks for the help.
Have you been able to find IPv6 addresses which have PTR records not showing up in the endpoint dialog?
That is usually the problem, AAAA records are there in DNS, PTR not so much. And those are the ones Wireshark needs.
Perhaps enabling 'Use SNI information' may give more name resolution in this case.
Setting 'Use SNI information' allowed the outlook.office365.com addresses to be resolved.
When I use nslookup on the IPv6 unresolved addresses in CMD: I get Non-existant domain. On the resolved one the host name is returned. This means that the PTR records don't exist for the email servers in question.
This seems counter intuitive. Why wouldn't these servers have PTR records?
Ok, I'm somewhat competent using Wireshark but have much to learn. I needed to startup WS and then my email handler to get the SNI information to resolve the addresses. Is there a way to get WS to save the SNI information for use in following traces?
Thanks.
You can create a hosts file based on the output of:
And add that to the personal preferences directory or use
thshark -H hostsfileetc..Wireshark has also a feature to 'edit resolved name' (right click on IP address) and store a custom name in the pcapng file.
Note: a PTR record (reverse lookup) is not required for normal operation.
Perfect! I just got a little more competent. Thanks for your help.