This is our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

My understanding from the documentation at http://www.wireshark.org/docs/wsug_html_chunked/ChUseViewMenuSection.html is that clicking "View Menu > Name Resolution > Resolve Name" should perform name resolution on the currently selected packet. This is, or would be, a very useful feature, as I typically don't want to turn on network name resolution to prevent the additional reverse DNS queries during a capture, for a couple reasons. But when I do find a packet of interest and I don't recognize one of the IP addresses inside then I'd like to be able to click on it and do some more investigation (like a reverse lookup, etc.).

When I select a packet and then click the "Resolve name" option, however, nothing seems to happen. The GUI doesn't update the selected packet and replace the IP addresses with FQDNs (even when I can just go to a command prompt and get the same FQDN with nslookup). I've tried changing the DNS server my OS points to, and I've tried resolving several different IP addresses and this option just doesn't seem to do anything. On a few occasions I noticed that when I click this option the first time within a capture I can see a single reverse lookup (usually for that packet's destination address, not the source, oddly) and then nothing else (even this behavior isn't reliably repeatable). No more attempts to resolve anything no matter how many times I click Resolve name or how many packets I try this on. I tried marking the packets, to see if that matters, it didn't. I tried updating to WinPcap 4.1.3 and a few different builds (64 and 32 bit) of Wireshark. I tried running Wireshark in a clean Virtual Machine running an older version of Windows. No change.

Am I doing something wrong here? Or is this a bug I should report? Thought I'd ask in case this is just my bad, before going to the Bugzilla. Thanks in advance.

asked 07 Apr '13, 07:21

poundonu's gravatar image

poundonu
11112
accept rate: 0%


You're doing it correctly, but you're not looking in the right place for the results. "Resolve Name" does not change the display in the Packet List, only in the Packet Details pane. Expand the Internet Protocol header in the Packet Details pane and you will see the resolved domain names displayed next to the source and destination IP addresses. "Resolve Name" also resolves the MAC address OUIs at the same time.

Since you have to go into the Packet Details pane anyway, you can do this more quickly by using Wireshark's right-click functionality instead of the menu. Right-click anywhere in the Packet Details pane and select "Resolve Name."

If you want to see domain names in the Packet List, you'll have to turn on network name resolution instead of doing manual one-off resolutions.

permanent link

answered 07 Apr '13, 11:51

Jim%20Aragon's gravatar image

Jim Aragon
7.2k733118
accept rate: 24%

You can get the precise behavior you're looking for from instructions over here: http://www.howtogeek.com/106191/5-killer-tricks-to-get-the-most-out-of-wireshark/

Essentially, you click Edit | Preferences, and enable DNS Resolution. The packets in your window will all update.

Cheers

permanent link

answered 30 Dec '14, 12:42

kyrka's gravatar image

kyrka
1
accept rate: 0%

remove a 'capture filter' you might have previously established:-

-> Edit -> Configuration Profiles.

  • note the folder link that contains 'profile preferences'

  • In the 'Profiles' subfolder, using a text editor, edit the preferences file.

  • remove or '# comment' any 'capture filters' that you might have previously established.

permanent link

answered 28 Mar '16, 20:17

rove's gravatar image

rove
62
accept rate: 0%

edited 28 Mar '16, 21:13

Your answer
toggle preview

Follow this question

By Email:

Once you sign in you will be able to subscribe for any updates here

By RSS:

Answers

Answers and Comments

Markdown Basics

  • *italic* or _italic_
  • **bold** or __bold__
  • link:[text](http://url.com/ "title")
  • image?![alt text](/path/img.jpg "title")
  • numbered list: 1. Foo 2. Bar
  • to add a line break simply add two spaces to where you would like the new line to be.
  • basic HTML tags are also supported

Question tags:

×178
×109
×46
×13

question asked: 07 Apr '13, 07:21

question was seen: 29,929 times

last updated: 28 Mar '16, 21:13

p​o​w​e​r​e​d by O​S​Q​A