This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Filter Apparently Doesn’t Support Host Name format for Address

1

The documentation states that this filter will work: ip.dst eq www.mit.edu

But when I try to use it, Wireshark gives me an error ' "www.mit.edu" is not a valid hostname or IPv4 address'

I cut-and-pasted the sample into the filter, so I expected it to work!

asked 23 Nov '10, 16:26

ActualRandy's gravatar image

ActualRandy
46224
accept rate: 0%


2 Answers:

1

Try using ip.dst_host eq www.mit.edu. That should resolve the syntax error issue. If you still don't see any traffic try turning on network name resolutions to see what www.mit.edu traffic is really resolving to (for example, www.wireshark.org actually resolves to media-2.cacetech.com.

answered 23 Nov '10, 17:11

lchappell's gravatar image

lchappell ♦
1.2k2730
accept rate: 8%

Thanks lchappell - that did the trick :-)

However, being a stickler of sorts, I hope Gerald will re-write the documentation, since the example looks wrong.

(23 Nov '10, 17:25) ActualRandy

Or you could add to the wiki page or the manuals or... <grin>

(23 Nov '10, 19:09) lchappell ♦

note: you have to enable Name Resolution on the preferences for this to work (disabled by default).

(08 Dec '14, 14:35) Ciro Santilli

However, being a stickler of sorts, I hope Gerald will re-write the documentation, since the example looks wrong.

I don't know what Gerald will do, but Guy will ask you to file a bug on this, because that's really badly broken; if our display-filter parser can't figure out that you can compare an IP address with a domain name, that's just horribly bad - it violates the Principle of Least Surprise.

(08 Dec '14, 20:22) Guy Harris ♦♦

0

Using hostnames in filters only work when they can be resolved. Do you have DNS configured on the system that you are running Wireshark on? And is the system able to resolve www.mit.edu?

answered 23 Nov '10, 16:34

SYN-bit's gravatar image

SYN-bit ♦♦
17.1k957245
accept rate: 20%

Hey Synbit - thanks for the response.

I can resolve www.mit.edu - I ran nslookup on it and received the ip 192.168.1.1

Regarding whether the system has DNS configured, I can't say; it is a public wireless access point

I ran it while in a live session, as opposed to a stored one, and it gave me a slightly different message: The following display filter isn't a valid display filter: ip.dst eq www.mit.edu

In this message, it is clearly saying that it thinks I have an invalid filter.

(23 Nov '10, 16:47) ActualRandy