This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

source and destination columns

0

with the advent of ipv6, these columns are hard to quickly identify with a particular system. I was wondering if there is an option to use the "ethers" table, when an entry exists, in place of the ip address in either the source or destination columns?

asked 17 Jul '13, 14:15

proj964's gravatar image

proj964
11447
accept rate: 0%

edited 18 Jul '13, 06:08

cmaynard's gravatar image

cmaynard ♦♦
9.4k1038142

What do you mean by ethers table? The MAC address vendor lookups??

(17 Jul '13, 14:17) Landi

2 Answers:

1

If you want to show the MAC addresses, or the names corresponding to the MAC addresses, in the columns in the packet summary, go to Edit -> Preferences, select "Columns", and for the "Source" and "Destination" columns, select "Hardware src addr" and "Hardware dest addr", respectively.

To get the addresses mapped to names, however, you'll have to add the names to the "ethers" file; that will not happen automatically, except in cases where packets such as ARP packets, allowing Wireshark to infer the MAC address to IP address mapping and thus to translate the IP address to a host name, are in the capture. (No, Wireshark does not automatically map MAC addresses to host names.)

This will, of course, not give useful information for packets that didn't originate and terminate on your LAN segment, but that are being routed through your network.

answered 17 Jul '13, 23:03

Guy%20Harris's gravatar image

Guy Harris ♦♦
17.4k335196
accept rate: 19%

0

The hosts file is used for this purpose, not the ethers file.

For this to work, you must:

  • Start Wireshark
  • Enable network resolution: Edit -> Preferences -> Name Resolution -> Resolve network (IP) addresses -> Select -> OK
  • Navigate to where the hosts file is located: Help -> About Wireshark -> Folders -> Personal configuration -> double-click on the folder
  • Create/Open your hosts file: If a hosts file already exists, open it using any text editor; if it doesn't exist, then create an empty file named hosts and open it.
  • Add the entry or entries: Each entry will have the format as documented in man hosts. For more information, see also: Section 7.7 Name Resolution of the Wireshark user guide as well as Appendix A.2. Configuration Files and Folders.
  • Restart Wireshark
  • Open a capture file or start a live capture with traffic going to/from those hosts you just added and observe that they are resolved to the host names you entered

Some example entries:

# Comments must be prepended by the # sign!
192.168.0.1           homeserver
fdda:5cc1:23:4::1f    justin.example.com

answered 17 Jul '13, 20:04

cmaynard's gravatar image

cmaynard ♦♦
9.4k1038142
accept rate: 20%

edited 17 Jul '13, 20:05

Since many of the IP addresses are DHCP assigned, I don't think the hosts files is an adequate answer. Even if one is willing to accept the additional overhead of DNS lookups, there are still the multicast and broadcast packets to consider. The one thing that is constant and consistent is the relationship of the MAC to the device.

(17 Jul '13, 20:26) proj964

If you only want name resolution for the entries in the host file to avoid DNS lookups, then you can enable the "Only use the profile hosts file preference" via: Edit -> Preferences -> Name Resolution -> Only use the profile "hosts" file.

(18 Jul '13, 05:49) cmaynard ♦♦