This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

ERR_NAME_NOT_RESOLVED - how to locate it in wireshark packets

0

Hello,

I get this error in crome when access any hp site. in other bwosers i just dont get the page. I ran wireshark but I cant figure put my finger on the problematic point. I tried all kinds of dns flushings and chamging hosts etc. no luck.

in the packet i see this -

597 35.003080000    192.168.12.52   15.203.153.225  TLSv1   208 Application Data, Application Data
596 34.784415000    192.168.12.52   192.168.0.105   NBNS    92  Name query NBSTAT *<00><00><00><00><00><00><00><00><00><00><00><00><00><00><00>
597 35.003080000    192.168.12.52   15.203.153.225  TLSv1   208 Application Data, Application Data
599 35.564440000    192.168.12.52   15.203.153.225  TLSv1   192 Application Data, Application Data
603 36.279751000    62.219.175.65   192.168.12.52   ICMP    120 Destination unreachable (Host unreachable)
605 36.297594000    192.168.12.52   192.168.0.105   NBNS    92  Name query NBSTAT *<00><00><00><00><00><00><00><00><00><00><00><00><00><00><00>

thank you..

asked 15 Jun '15, 04:11

yosiba's gravatar image

yosiba
6334
accept rate: 0%

edited 15 Jun '15, 04:42

grahamb's gravatar image

grahamb ♦
19.8k330206

As usual, fault diagnosis via (limited) screen dump of some text is usually pointless as detail and context is missing.

Can you save a capture that contians the traffic over the period of you entering the URL and then the browser displaying the error message to a public share, e.g. Cloudshark, Google Drive, Dropbox, etc.?

If you wish, you can anonymize the capture using TraceWrangler.

(15 Jun '15, 04:48) grahamb ♦

Hi, here's my chrome packet capture: https://drive.google.com/file/d/0BzVO22gaxRILaUZrWHJRUkdTdm8/view?usp=sharing and my ie packet: https://drive.google.com/file/d/0BzVO22gaxRILU3ZwMEczaFhwaHM/view?usp=sharing

in both case i am trying to access HP.COM i did try to change dns to 8.8.8.8 etc and no success.

thanx....

(15 Jun '15, 05:53) yosiba

Those files appear to be text exports. I was really looking for the standard capture files so that I can use Wireshark rather than a text editor to look at the files.

(15 Jun '15, 06:17) grahamb ♦

Also, what is the url you're using.

(15 Jun '15, 06:22) grahamb ♦
(15 Jun '15, 06:58) yosiba

3 Answers:

0

603 36.279751000 62.219.175.65 192.168.12.52 ICMP 120 Destination unreachable (Host unreachable)

Would need to see the packet details but, you have an ICMP Answer from your ISP telling you that the address is unreachable. There are too few packets in the flow to really be sure but you are connected to 15.203.153.225 (HP France) via https and a destination unreachable is coming from 62.219.175.65 (Bezeq International, your ISP I hope)

If you have the trace, look at packet 603, drill down into the ICMP packet, it will contain the requested address. You cannot access this one, why is another question, but it looks like your ISP is blocking it or does not have it listed(unlikely)? try changing your DNS server to 8.8.8.8 (Googles DNS) and see if you can then access it.

answered 15 Jun '15, 04:31

DarrenWright's gravatar image

DarrenWright
216141520
accept rate: 26%

Why would changing the DNS server fix a "blocked" site, DNS is only used to resolve a name to an IP.

(15 Jun '15, 04:45) grahamb ♦

Because certain providers in certain countries like to 0.0.0.0 an address, works a lot better than a firewall.

(15 Jun '15, 05:04) DarrenWright

That's a failure to resolve a name, not a route blockage.

(15 Jun '15, 05:07) grahamb ♦

Arguably though, that may be the actual issue, I forgot to look at the question title.

(15 Jun '15, 05:08) grahamb ♦

too be honest, I was just guessing at the main problem as it is a little bleary from the description. It doesn't fail to resolve the name; It just resolves it to a dead IP which gives you then a blockage. It's unlikely, but given the users location, I wouldn't drop it out of hand.

(15 Jun '15, 05:13) DarrenWright

I tried putting 8.8.8.8 as dns.... and it didnt help

(15 Jun '15, 06:21) yosiba
showing 5 of 6 show 1 more comments

0

Can we please see the output of nslookup for the website. You mentioned it works fine with other browsers, so you should probably focus on Chrome. Check the advanced settings e.g. 'Use a webservice..', 'Predict network actions..'. You can dig deeper with chrome://net-internals/

answered 16 Jun '15, 02:12

Roland's gravatar image

Roland
7642415
accept rate: 13%

The problem is WITH ALL BROWSERS. The error message is differet, in Chrome - it gives the DNS_NAME_NOT_RESOLVED while in IE and FF it just says - Page cannot be displayed.

This is the output of nslookup: Default Server: dns2.bezeqint.net Address: 192.115.106.35.

(16 Jun '15, 02:33) yosiba

I don't see any request for hp.com in the packet captures. The only hp traffic is some ssl to 15.227.185.225. If you believe it's a dns problem type 15.216.241.18 in the browser and see if it works. Also try 'tracert -d 15.216.241.18' and check if it goes in the right direction.

(16 Jun '15, 07:19) Roland

Here is a new packet set - please help me understand why cant I connect to HP. I saw my machine trying to accesss some Ip and then I understood it's because the is an Hp printer and the machine keeps trying to connect there... so I removed this printer connection, but still it there is a problem.

here is the packet.

https://drive.google.com/file/d/0BzVO22gaxRILdlQ3bVpHRmVRV0U/view?usp=sharing

thanx!!!

(16 Jun '15, 07:57) yosiba

Still no request for hp.com. Have you tried what I suggested in my previous comment?

(17 Jun '15, 05:26) Roland

0

I'm sorry, but I don't understand what your problem might be? There are no signs at all for any problem related to accessing a server of HP, at least not in the capture files you have posted !?! The ICMP destination unreachable is totally unrelated and refers to a failed connection request to 192.168.0.5:445.

Please add (much) more details to your problem description:

  • What URL are you trying to connect to
  • What is the error message in the browser (screenshot of the browser would probably help)
  • Please try to capture the whole connection attempt by doing the following

ERR_NAME_NOT_RESOLVED - how to locate it in wireshark packets

To be able to locate the potential problem in the capture file, you'll have to do the troubleshooting in the right way, so please follow the following steps:

  1. close ALL browser windows
  2. run: ipconfig /flushdns in a DOS box
  3. start Wireshark and let it capture ALL traffic
  4. start a browser
  5. enter the URL that causes problems
  6. wait for the error in the browser
  7. Stop Wireshark. Save the capture file (in pcap format, NOT text!!) and upload it to Dropbox
  8. Make a screenshot of the browser window which is showing the error message
  9. Post the URL, the screenshot and the link to the capture file here

Thanks!

Regards
Kurt

answered 17 Jun '15, 06:37

Kurt%20Knochner's gravatar image

Kurt Knochner ♦
24.8k1039237
accept rate: 15%

Here it is:

three links to files: the packet file: https://drive.google.com/file/d/0BzVO22gaxRILVUJVNmx5UmlIdWc/view?usp=sharing

screen capture of the error and the outcome of the "fix connection ptoblems" https://drive.google.com/file/d/0BzVO22gaxRILc2tBMW14RTRweXM/view?usp=sharing https://drive.google.com/file/d/0BzVO22gaxRILb2lKblRuZzBRUWc/view?usp=sharing

about the ip address - i found that it was of an Hp printer which my machine kept looking for.

thank you.

(17 Jun '15, 06:57) yosiba

The error message in the browser is certainly wrong, as you get an DNS response for hp.co.il:

Filter:

frame.number eq 684 or frame.number eq 685

Then your browser is trying to access the received IP and it gets a response.

Filter:

ip.addr eq 15.201.225.10

So, either the capture file you have posted does not match the browser error message, or there is something wrong with your browser!

Regards
Kurt

(17 Jun '15, 07:30) Kurt Knochner ♦