This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Bad name resolution

0

I have tried everything... clearing the DNS cache, creating a hosts file on the Wireshark directory the same as the windows host file, unticking the DNS resolver on the Protocols->DNS but nothing worked out.

Currently, I have and IP that resolves to an older name that was previously configured on the hosts file of the windows but after changing it, wireshark continues to show the previous name on its resolution.

Can someone help me out please? I want to update the name of the IP and Wireshark isn't helping.

Thank you

asked 29 Jul '15, 03:48

WamaKota's gravatar image

WamaKota
6115
accept rate: 0%

Still in with this pickle... no one has ever experienced this issue?

(31 Jul '15, 03:54) WamaKota

To determine if this is Wireshark, or your hosts name resolution system, from a command prompt what does nslookup IP_IN_QUESTION return?

(31 Jul '15, 05:25) grahamb ♦

Hi grahamb,

I forgot to mention that I had already checked that:

Server: UnKnown Address: 2001:8a0:6cc0:5901:226:44ff:fe9b:3a4d

*** UnKnown can't find 10.102.78.209: No response from server

It is a private IP that I added to the hosts file and later on I changed it's name on the same file.

(31 Jul '15, 06:21) WamaKota

Ok, so apparently no name resolver available, falling back to hosts file and broadcast. Does the host actually exist on your local subnet with the "original" name?

Is it an IPv4 or IPv6 address you're having issues with?

Is the address visible in the NetBIOS cache, nbtstat -c?

Do you have WINS configured?

(31 Jul '15, 06:27) grahamb ♦

No, it doesn't exist in my subnet.

It's IPv4 and it is not on the NBT's cache list.

(31 Jul '15, 06:32) WamaKota

And does ping hostname use the correct address (as in your hosts file)?

(31 Jul '15, 06:51) grahamb ♦

Don't think I have WINS configured... how do I check that? :)

(31 Jul '15, 06:53) WamaKota

And I cannot ping the IP has it isn't in my subnet and there is no connection to the IP so it can't resolve it's name.

(31 Jul '15, 06:55) WamaKota

But if name resolution was working from the hosts file then it would resolve the name even if you can't actually ping it. I just tested this (Win 8.1) by adding "1.2.3.4 testname" to the hosts file and then using ping testname.

For WINS, ipconfig /all and check for any WINS servers listed for the interface in question.

(31 Jul '15, 07:19) grahamb ♦

I don't have WINS configured.

I think you aren't grasping the issue. In the hosts file, the IP is configured with a different name than the one shown on Wireshark. That's why I can't ping the host Wirehark presents but my machine resolves the name I have updated for the same IP on the hosts file.

I'll try to explain:

IP - 10.102.78.209

Name resolution on Wireshark - S13_interface

Hosts file - 10.102.78.209 S6A_LB1

Ping result:

ping S6A_LB1

Pinging S6A_LB1 [10.102.78.209] with 32 bytes of data:

I hope I was able to explain myself :)

Thank you for your time and resolve in this issue!

(31 Jul '15, 07:32) WamaKota

I think I do understand the issue, but was trying to eliminate some usual reasons for name resolution to not work as expected.

What does the Wireshark Address Resolution list show for IPv4 (Statistics -> Show Address Resolution)?

(31 Jul '15, 07:48) grahamb ♦

My friend, I think you are near the jackpot! :)

The ip on the list you mentioned is the incorrect one. I deleted one of the entries that was incorrect and it changed to the updated and right one but then tried to delete all the entries so it refreshed itself and it didn't work for all IP addresses.

But I think we are getting somewhere,,,

(31 Jul '15, 08:01) WamaKota
showing 5 of 12 show 7 more comments

One Answer:

1

First off, what version of Wireshark are you using?

Are you using Profiles? Perhaps you're editing the hosts file in a different profile than the active profile?

answered 31 Jul '15, 09:42

cmaynard's gravatar image

cmaynard ♦♦
9.4k1038142
accept rate: 20%

Version 1.12.5

Been using the default profiles, never added one.

(31 Jul '15, 09:45) WamaKota

grahab was helping me out and he found that the name resolution in the Statistics -> Show Address Resolution is the wrong one. Do you know how to flush this resolution?

(31 Jul '15, 09:48) WamaKota

Can you confirm the following:

  • Since you're using the Default profile, the directory where the hosts file is located is in your personal configuration directory as found via: Help -> About Wireshark -> Folders -> Personal configuration
  • Your name resolution settings set under Edit -> Preferences -> Name Resolution are correct? i.e., you have 'Resolve network(IP) addresses' enabled and possibly also the 'Only use the profile "hosts" file" enabled as well.
(31 Jul '15, 09:53) cmaynard ♦♦

You are working with a .pcap file or a .pcapng file? If .pcapng, what happens if you save it as a .pcap file?

(31 Jul '15, 09:55) cmaynard ♦♦

@cmaynard, I'd assumed the hosts file in question was the Windows one, hence my earlier efforts to ensure that Windows at least did the correct thing.

(31 Jul '15, 10:19) grahamb ♦

@grahamb, Yup, it would be nice if all questions came with Wireshark version and platform information like bug reports are expected to include.

(31 Jul '15, 10:29) cmaynard ♦♦

I have changed the hosts file on the personal configuration folder (it was outdated)

After that, I have set the name resolution settings with the tick on 'Only use the profile "hosts" file' and the problem seems solved!

Both combined did the trick.

Thank you so much for your help! :)

(31 Jul '15, 13:22) WamaKota
showing 5 of 7 show 2 more comments