Wireshark · Wireshark-users: Re: [Wireshark-users] Arbitrarily labelling src / dst IPs?

Wireshark-users: Re: [Wireshark-users] Arbitrarily labelling src / dst IPs?

From: "Simon Mullis" <simon@xxxxxxxxxxxx>

Date: Wed, 27 Sep 2006 16:12:22 +0100

Yes - I know about this.

From the man page is specifies:


"        Name Resolution (hosts)
  If the personal hosts file exists, it is used to resolve IPv4
  and IPv6 addresses before any other attempts are made to
  resolve them.  The file has the standard hosts file syntax;
  each line contains one IP address and name, separated by
  whitespace. ***The same directory as for the personal
  preferences file is used***.
"

I'm sure I've tried using the standard windows hosts file previously
with no success...  I got the impression from the FAQ / Docs regarding
name resolution that Wireshark bypasses the standard methods and uses
its own resolver... Is this true?

Thanks

SM

On 9/27/06, Small, James <JSmall@xxxxxxxxxxxxxx> wrote:

The Windows host file is %windir%\system32\drivers\etc\hosts (you might
have to create the file).

Usually this works out to be c:\windows\system32\drivers\etc\hosts
(although it is possible to have a different drive and base windows
directory).  Once you create the entries, you can test by using ping
from a command prompt.

For example, if I put an entry like this in my hosts file:
192.168.13.251  mail
Then I should be able to type "ping mail" from a command prompt and
Windows should then resolve the name and start pinging to
192.168.13.251.  If it doesn't, then something is wrong with the hosts
file setup.

Don't forget to enable name resolution in Wireshark!

--Jim

-----Original Message-----
From: wireshark-users-bounces@xxxxxxxxxxxxx
[mailto:wireshark-users-bounces@xxxxxxxxxxxxx] On Behalf Of Simon Mullis
Sent: Wednesday, September 27, 2006 8:14 AM
To: Community support list for Wireshark
Subject: Re: [Wireshark-users] Arbitrarily labelling src / dst IPs?

Hmmmm...

I'm using Windows XP.

I create a 'hosts' file in the same directory as my personal
preferences file (%USERPROFILE%\Application Data\Wireshark\)

I create a couple of hosts entries:

a.b.c.d testing
d.e.f.g othertest

I start wireshark and load the dump with the IPs a.b.c.d and d.e.f.g
(both RFC1918).

The IPs are still IPs.  I then click "View -> Name Resolution -> Resolve
Name"

Nothing....

I've tried both Unix and Dos style line endings in the hosts file also.

Any ideas?

SM

On 9/27/06, Simon Mullis <simon@xxxxxxxxxxxx> wrote:
> Jaap - Many thanks!
>
> Who would have thought that reading the manual would be so
productive.... ;-)
>
> Regards,
>
> SM
>
> On 9/27/06, Jaap Keuter <jaap.keuter@xxxxxxxxx> wrote:
> > Hi,
> >
> > From the MAN page:
> > -----------------8<------------------------------------
> >        Name Resolution (hosts)
> >            If the personal hosts file exists, it is used to resolve
IPv4
> >            and IPv6 addresses before any other attempts are made to
> >            resolve them.  The file has the standard hosts file
syntax;
> >            each line contains one IP address and name, separated by
> >            whitespace. The same directory as for the personal
preferences
> >            file is used.
> > -----------------8<------------------------------------
> >
> > So this is very possible indeed :)
> >
> > Thanx,
> > Jaap
> >
> > On Wed, 27 Sep 2006, Simon Mullis wrote:
> >
> > > Hi all,
> > >
> > > I have to look at a lot of tcpdumps on a regular basis and am
finding
> > > that all of the IPs are merging into one and difficult to keep
track
> > > of when I'm looking at a trace.
> > >
> > > Is there a way of arbitrarily labelling certain src / dst IPs
> > >
> > > eg.
> > >
> > > 10.1.1.3 = PROXY
> > > 192.168.9.1 = WWW1
> > > 192.168.9.20 = WWW2
> > > 172.16.34.34 = CLIENT
> > >
> > > Obviously I'd like to be able to do this within WireShark itself
but
> > > if necessary I could pre-process the tcpdump files against a
> > > match-list (maybe I'll write a script if there's nothing else out
> > > there).
> > >
> > > I cannot use DNS resolution as all of the dumps are from client
sites
> > > and generally use RFC1918 addressing so DNS lookup will not work
(and
> > > I would rather not create a new Zone file for each tcpdump I
analyse).
> > >  I've tried using my /etc/hosts file but it doesn't seem to work
(on
> > > Win32 at least).
> > >
> > > I would find this very, very useful.
> > >
> > > Thanks in advance
> > >
> > > SM
> > >
> > > --
> > > Simon Mullis
> > > _________________
> > > simon@xxxxxxxxxxxx
> > > _______________________________________________
> > > Wireshark-users mailing list
> > > Wireshark-users@xxxxxxxxxxxxx
> > > http://www.wireshark.org/mailman/listinfo/wireshark-users
> > >
> > >
> >
> > _______________________________________________
> > Wireshark-users mailing list
> > Wireshark-users@xxxxxxxxxxxxx
> > http://www.wireshark.org/mailman/listinfo/wireshark-users
> >
>
>
> --
> Simon Mullis
> _________________
> simon@xxxxxxxxxxxx
>


--
Simon Mullis
_________________
simon@xxxxxxxxxxxx
_______________________________________________
Wireshark-users mailing list
Wireshark-users@xxxxxxxxxxxxx
http://www.wireshark.org/mailman/listinfo/wireshark-users
_______________________________________________
Wireshark-users mailing list
Wireshark-users@xxxxxxxxxxxxx
http://www.wireshark.org/mailman/listinfo/wireshark-users



--
Simon Mullis
_________________
simon@xxxxxxxxxxxx

References:
- Re: [Wireshark-users] Arbitrarily labelling src / dst IPs?
  - From: Small, James

Prev by Date: Re: [Wireshark-users] Arbitrarily labelling src / dst IPs?
Next by Date: Re: [Wireshark-users] Arbitrarily labelling src / dst IPs?
Previous by thread: Re: [Wireshark-users] Arbitrarily labelling src / dst IPs?
Next by thread: [Wireshark-users] symbolic decode of ESP payload
Index(es):
- Date
- Thread