Wireshark-dev: Re: [Wireshark-dev] How does Wireshark do name resolution?
From: Richard Brooks <richardbuk@xxxxxxx>
Date: Wed, 6 Jan 2010 20:30:09 -0000
Hello Chris

Any suggestions as to which returns more person friendly results?

Regards
Richard
<RichardBUK@xxxxxxx>


-----Original Message-----
From: wireshark-dev-bounces@xxxxxxxxxxxxx
[mailto:wireshark-dev-bounces@xxxxxxxxxxxxx] On Behalf Of Maynard, Chris
Sent: 06 January 2010 15:06
To: Developer support list for Wireshark
Subject: Re: [Wireshark-dev] How does Wireshark do name resolution?

Wireshark currently uses c-ares by default: http://c-ares.haxx.se/
But Wireshark can be configured to use adns instead:
http://www.chiark.greenend.org.uk/~ian/adns/

- Chris

-----Original Message-----
From: wireshark-dev-bounces@xxxxxxxxxxxxx
[mailto:wireshark-dev-bounces@xxxxxxxxxxxxx] On Behalf Of Richard Brooks
Sent: Wednesday, January 06, 2010 3:18 AM
To: wireshark-dev@xxxxxxxxxxxxx
Subject: [Wireshark-dev] How does Wireshark do name resolution?

I am writing an interface to Snort's MySQL database. The interface currently
uses nslookup to try and resolve ip addresses to their human friendly names,
but Wireshark is doing a much better job than nslookup. For example using
nslookup ip address '216.239.59.208' resolves to 'gv-in-f208.1e100.net',
however Wireshark correctly resolves this ip address to the much more
meaningful 'bskyb-pop3-ssl.l.google.com', which is much more descriptive
than the previous effort.

The Snort interface I am writing relies on addresses that look out of place
when resolved to their human friendly names. For example to help the user of
the interface spot addresses that are non-commercial (i.e. a hacker/zombie
machine rather than say 'www.amazon.com').

What makes things even worst, is than many times nslookup returns the likes
of 'The requested name is valid, but no data of the requested type was
found'.

If anyone has any ideas on what Wireshark is using to resolve ip addresses,
I'd be most grateful if they would let me in on it?

Regards
Richard
 
 



___________________________________________________________________________
Sent via:    Wireshark-dev mailing list <wireshark-dev@xxxxxxxxxxxxx>
Archives:    http://www.wireshark.org/lists/wireshark-dev
Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev
             mailto:wireshark-dev-request@xxxxxxxxxxxxx?subject=unsubscribe
CONFIDENTIALITY NOTICE: The contents of this email are confidential
and for the exclusive use of the intended recipient. If you receive this
email in error, please delete it from your system immediately and 
notify us either by email, telephone or fax. You should not copy,
forward, or otherwise disclose the content of the email.

___________________________________________________________________________
Sent via:    Wireshark-dev mailing list <wireshark-dev@xxxxxxxxxxxxx>
Archives:    http://www.wireshark.org/lists/wireshark-dev
Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev
             mailto:wireshark-dev-request@xxxxxxxxxxxxx?subject=unsubscribe