This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Is ip.dst_host filter working?

0

I'm trying to apply filter ip.dst_host. The Wshark Wiki says it should work, and Wshark accepts it. However when I apply it I get no results whatsoever. Is the filter broken, or am I using it wrong?

asked 14 Dec '14, 06:31

Peregrino69's gravatar image

Peregrino69
11112
accept rate: 0%


One Answer:

0

Works for me. However, once you resolved an ip address to a hostname you need to filter on the hostname. The filter will not match if you use the ip address.

Here's an example where a hostname resolves to 3 different ip addresses, not uncommon in the internet. So using ip.host == gmail-imap.l.google.com will filter traffic to/from all three ip addresses. Another use case is filtering on any 'amazon' or "imap" addresses using the "contains" operator. Works if you can resolve the ip addresses - ideally by having the DNS answers in the tracefile.

Regards Matthias alt text alt text

answered 14 Dec '14, 06:55

mrEEde's gravatar image

mrEEde
3.9k152270
accept rate: 20%

edited 14 Dec '14, 22:17

Sorry but I'm not following you now. When using ip.dst_host you use the dns name, not IP address. And that's not working for me - or I'm expecting a different result.

I tested now with Ubuntu 14.04 and Debian Wheezy 7.7, with wsark 1.12.2. When I apply filter ip.dst_host hostname.com, no packets are displayed. If I apply filter http and check the packets, I can find the hostname in the payload of the first http packet.

(14 Dec '14, 09:21) Peregrino69

ip.dest_hostname filters on a host name or an ipadress, whatever is available. So if you traced the DNS traffic and allow wireshark to resolve the ip addresses, it will use the resolved hostnames for those addresses that could be resolved, an IP addresses for those that couldn't be resolved. You could also manually resolve the ip addresses to host names which then would enable you to apply this filtr. If I understaand your comment correctly, you're expecting that wireshark filters on the hostnames in the http payload?

(14 Dec '14, 13:19) mrEEde

I assumed ip.dest_host could be used for example to monitor traffic to a given DNS host. I was specifically testing with http and icmp traffic (ping hostname). There's a DNS request which resolves the host successfully, but even that doesn't come up with this filter. I'm fine with that - but now I'm interested in a practical situation when / how I could use this filter :) Maybe you can give me an example?

(14 Dec '14, 15:29) Peregrino69