I'm trying to apply filter ip.dst_host. The Wshark Wiki says it should work, and Wshark accepts it. However when I apply it I get no results whatsoever. Is the filter broken, or am I using it wrong? asked 14 Dec '14, 06:31  Peregrino69 |
One Answer:
Works for me. However, once you resolved an ip address to a hostname you need to filter on the hostname. The filter will not match if you use the ip address. Here's an example where a hostname resolves to 3 different ip addresses, not uncommon in the internet. So using Regards Matthias answered 14 Dec '14, 06:55  mrEEde edited 14 Dec '14, 22:17 |
Sorry but I'm not following you now. When using ip.dst_host you use the dns name, not IP address. And that's not working for me - or I'm expecting a different result.
I tested now with Ubuntu 14.04 and Debian Wheezy 7.7, with wsark 1.12.2. When I apply filter ip.dst_host hostname.com, no packets are displayed. If I apply filter http and check the packets, I can find the hostname in the payload of the first http packet.
ip.dest_hostname filters on a host name or an ipadress, whatever is available. So if you traced the DNS traffic and allow wireshark to resolve the ip addresses, it will use the resolved hostnames for those addresses that could be resolved, an IP addresses for those that couldn't be resolved. You could also manually resolve the ip addresses to host names which then would enable you to apply this filtr. If I understaand your comment correctly, you're expecting that wireshark filters on the hostnames in the http payload?
I assumed ip.dest_host could be used for example to monitor traffic to a given DNS host. I was specifically testing with http and icmp traffic (ping hostname). There's a DNS request which resolves the host successfully, but even that doesn't come up with this filter. I'm fine with that - but now I'm interested in a practical situation when / how I could use this filter :) Maybe you can give me an example?