Wireshark-dev: Re: [Wireshark-dev] How does Wireshark do name resolution?
From: Richard Brooks <richardbuk@xxxxxxx>
Date: Thu, 7 Jan 2010 05:23:05 -0000
Hello Chris 

I am trying to identify who the ip addresses belong to by eye-balling the
reverse DNS results. So 'bskyb-pop3-ssl.l.google.com' is person friendly
because it tells me that the address belongs to BSkyB, that it is their POP3
server and that it using the SSL protocol. On the other hand
'gv-in-f208.1e100.net' tells me nothing about who or what
'gv-in-f208.1e100.net' is, thus 'gv-in-f208.1e100.net' is not person
friendly.

Regards
Richard
<RichardBUK@xxxxxxx>
 
 

-----Original Message-----
From: wireshark-dev-bounces@xxxxxxxxxxxxx
[mailto:wireshark-dev-bounces@xxxxxxxxxxxxx] On Behalf Of Maynard, Chris
Sent: 07 January 2010 02:48
To: Developer support list for Wireshark
Subject: Re: [Wireshark-dev] How does Wireshark do name resolution?

Well, I'm not entirely sure what you mean by "person-friendly" but I assume
you mean a simpler API or one that's easier to interface with?  I don't
exactly recall why the switch was made from adns to c-ares (as it hardly
makes much difference to me since I almost never enable name-resolution),
but I recall some discussion about it on the developer's list earlier last
year.  The release announcement for version 1.2 indicated that, "Support for
the c-ares resolver library has been added. It has many advantages over
ADNS."  (see http://www.wireshark.org/news/20090615.html).  Although it
doesn't elaborate on what those advantages are, you can be sure that there
was good justification for it.
 
That said, I assume c-ares to be superior to adns, but I don't have any more
information about it.  A search of the developer's list archives might
reveal more about the reasons for the switch, or maybe some of the real
Wireshark experts can offer some additional insight.
 
Sorry I couldn't be of more help,
Chris

________________________________

From: wireshark-dev-bounces@xxxxxxxxxxxxx on behalf of Richard Brooks
Sent: Wed 1/6/2010 3:30 PM
To: 'Developer support list for Wireshark'
Subject: Re: [Wireshark-dev] How does Wireshark do name resolution?



Hello Chris

Any suggestions as to which returns more person friendly results?

Regards
Richard
<RichardBUK@xxxxxxx>


-----Original Message-----
From: wireshark-dev-bounces@xxxxxxxxxxxxx
[mailto:wireshark-dev-bounces@xxxxxxxxxxxxx] On Behalf Of Maynard, Chris
Sent: 06 January 2010 15:06
To: Developer support list for Wireshark
Subject: Re: [Wireshark-dev] How does Wireshark do name resolution?

Wireshark currently uses c-ares by default: http://c-ares.haxx.se/ But
Wireshark can be configured to use adns instead:
http://www.chiark.greenend.org.uk/~ian/adns/

- Chris

-----Original Message-----
From: wireshark-dev-bounces@xxxxxxxxxxxxx
[mailto:wireshark-dev-bounces@xxxxxxxxxxxxx] On Behalf Of Richard Brooks
Sent: Wednesday, January 06, 2010 3:18 AM
To: wireshark-dev@xxxxxxxxxxxxx
Subject: [Wireshark-dev] How does Wireshark do name resolution?

I am writing an interface to Snort's MySQL database. The interface currently
uses nslookup to try and resolve ip addresses to their human friendly names,
but Wireshark is doing a much better job than nslookup. For example using
nslookup ip address '216.239.59.208' resolves to 'gv-in-f208.1e100.net',
however Wireshark correctly resolves this ip address to the much more
meaningful 'bskyb-pop3-ssl.l.google.com', which is much more descriptive
than the previous effort.

The Snort interface I am writing relies on addresses that look out of place
when resolved to their human friendly names. For example to help the user of
the interface spot addresses that are non-commercial (i.e. a hacker/zombie
machine rather than say 'www.amazon.com').

What makes things even worst, is than many times nslookup returns the likes
of 'The requested name is valid, but no data of the requested type was
found'.

If anyone has any ideas on what Wireshark is using to resolve ip addresses,
I'd be most grateful if they would let me in on it?

Regards
Richard
 
 



___________________________________________________________________________
Sent via:    Wireshark-dev mailing list <wireshark-dev@xxxxxxxxxxxxx>
Archives:    http://www.wireshark.org/lists/wireshark-dev
Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev
             mailto:wireshark-dev-request@xxxxxxxxxxxxx?subject=unsubscribe
CONFIDENTIALITY NOTICE: The contents of this email are confidential and for
the exclusive use of the intended recipient. If you receive this email in
error, please delete it from your system immediately and notify us either by
email, telephone or fax. You should not copy, forward, or otherwise disclose
the content of the email.

___________________________________________________________________________
Sent via:    Wireshark-dev mailing list <wireshark-dev@xxxxxxxxxxxxx>
Archives:    http://www.wireshark.org/lists/wireshark-dev
Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev
             mailto:wireshark-dev-request@xxxxxxxxxxxxx?subject=unsubscribe

___________________________________________________________________________
Sent via:    Wireshark-dev mailing list <wireshark-dev@xxxxxxxxxxxxx>
Archives:    http://www.wireshark.org/lists/wireshark-dev
Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev
             mailto:wireshark-dev-request@xxxxxxxxxxxxx?subject=unsubscribe


CONFIDENTIALITY NOTICE: The contents of this email are confidential and for
the exclusive use of the intended recipient. If you receive this email in
error, please delete it from your system immediately and notify us either by
email, telephone or fax. You should not copy, forward, or otherwise disclose
the content of the email.