Wireshark-dev: Re: [Wireshark-dev] How does Wireshark do name resolution?
From: Richard Brooks <richardbuk@xxxxxxx>
Date: Thu, 7 Jan 2010 05:23:05 -0000
Hello Chris I am trying to identify who the ip addresses belong to by eye-balling the reverse DNS results. So 'bskyb-pop3-ssl.l.google.com' is person friendly because it tells me that the address belongs to BSkyB, that it is their POP3 server and that it using the SSL protocol. On the other hand 'gv-in-f208.1e100.net' tells me nothing about who or what 'gv-in-f208.1e100.net' is, thus 'gv-in-f208.1e100.net' is not person friendly. Regards Richard <RichardBUK@xxxxxxx> -----Original Message----- From: wireshark-dev-bounces@xxxxxxxxxxxxx [mailto:wireshark-dev-bounces@xxxxxxxxxxxxx] On Behalf Of Maynard, Chris Sent: 07 January 2010 02:48 To: Developer support list for Wireshark Subject: Re: [Wireshark-dev] How does Wireshark do name resolution? Well, I'm not entirely sure what you mean by "person-friendly" but I assume you mean a simpler API or one that's easier to interface with? I don't exactly recall why the switch was made from adns to c-ares (as it hardly makes much difference to me since I almost never enable name-resolution), but I recall some discussion about it on the developer's list earlier last year. The release announcement for version 1.2 indicated that, "Support for the c-ares resolver library has been added. It has many advantages over ADNS." (see http://www.wireshark.org/news/20090615.html). Although it doesn't elaborate on what those advantages are, you can be sure that there was good justification for it. That said, I assume c-ares to be superior to adns, but I don't have any more information about it. A search of the developer's list archives might reveal more about the reasons for the switch, or maybe some of the real Wireshark experts can offer some additional insight. Sorry I couldn't be of more help, Chris ________________________________ From: wireshark-dev-bounces@xxxxxxxxxxxxx on behalf of Richard Brooks Sent: Wed 1/6/2010 3:30 PM To: 'Developer support list for Wireshark' Subject: Re: [Wireshark-dev] How does Wireshark do name resolution? Hello Chris Any suggestions as to which returns more person friendly results? Regards Richard <RichardBUK@xxxxxxx> -----Original Message----- From: wireshark-dev-bounces@xxxxxxxxxxxxx [mailto:wireshark-dev-bounces@xxxxxxxxxxxxx] On Behalf Of Maynard, Chris Sent: 06 January 2010 15:06 To: Developer support list for Wireshark Subject: Re: [Wireshark-dev] How does Wireshark do name resolution? Wireshark currently uses c-ares by default: http://c-ares.haxx.se/ But Wireshark can be configured to use adns instead: http://www.chiark.greenend.org.uk/~ian/adns/ - Chris -----Original Message----- From: wireshark-dev-bounces@xxxxxxxxxxxxx [mailto:wireshark-dev-bounces@xxxxxxxxxxxxx] On Behalf Of Richard Brooks Sent: Wednesday, January 06, 2010 3:18 AM To: wireshark-dev@xxxxxxxxxxxxx Subject: [Wireshark-dev] How does Wireshark do name resolution? I am writing an interface to Snort's MySQL database. The interface currently uses nslookup to try and resolve ip addresses to their human friendly names, but Wireshark is doing a much better job than nslookup. For example using nslookup ip address '216.239.59.208' resolves to 'gv-in-f208.1e100.net', however Wireshark correctly resolves this ip address to the much more meaningful 'bskyb-pop3-ssl.l.google.com', which is much more descriptive than the previous effort. The Snort interface I am writing relies on addresses that look out of place when resolved to their human friendly names. For example to help the user of the interface spot addresses that are non-commercial (i.e. a hacker/zombie machine rather than say 'www.amazon.com'). What makes things even worst, is than many times nslookup returns the likes of 'The requested name is valid, but no data of the requested type was found'. If anyone has any ideas on what Wireshark is using to resolve ip addresses, I'd be most grateful if they would let me in on it? Regards Richard ___________________________________________________________________________ Sent via: Wireshark-dev mailing list <wireshark-dev@xxxxxxxxxxxxx> Archives: http://www.wireshark.org/lists/wireshark-dev Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev mailto:wireshark-dev-request@xxxxxxxxxxxxx?subject=unsubscribe CONFIDENTIALITY NOTICE: The contents of this email are confidential and for the exclusive use of the intended recipient. If you receive this email in error, please delete it from your system immediately and notify us either by email, telephone or fax. You should not copy, forward, or otherwise disclose the content of the email. ___________________________________________________________________________ Sent via: Wireshark-dev mailing list <wireshark-dev@xxxxxxxxxxxxx> Archives: http://www.wireshark.org/lists/wireshark-dev Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev mailto:wireshark-dev-request@xxxxxxxxxxxxx?subject=unsubscribe ___________________________________________________________________________ Sent via: Wireshark-dev mailing list <wireshark-dev@xxxxxxxxxxxxx> Archives: http://www.wireshark.org/lists/wireshark-dev Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev mailto:wireshark-dev-request@xxxxxxxxxxxxx?subject=unsubscribe CONFIDENTIALITY NOTICE: The contents of this email are confidential and for the exclusive use of the intended recipient. If you receive this email in error, please delete it from your system immediately and notify us either by email, telephone or fax. You should not copy, forward, or otherwise disclose the content of the email.
- References:
- [Wireshark-dev] How does Wireshark do name resolution?
- From: Richard Brooks
- Re: [Wireshark-dev] How does Wireshark do name resolution?
- From: Maynard, Chris
- Re: [Wireshark-dev] How does Wireshark do name resolution?
- From: Richard Brooks
- Re: [Wireshark-dev] How does Wireshark do name resolution?
- From: Maynard, Chris
- [Wireshark-dev] How does Wireshark do name resolution?
- Prev by Date: Re: [Wireshark-dev] How does Wireshark do name resolution?
- Next by Date: Re: [Wireshark-dev] How does Wireshark do name resolution?
- Previous by thread: Re: [Wireshark-dev] How does Wireshark do name resolution?
- Next by thread: Re: [Wireshark-dev] How does Wireshark do name resolution?
- Index(es):