First, apologies for the newbie question, I've purchased the excellent Wireshark Book, but need to figure this out faster than I can read through the large book. I'm trying to determine where a hostname is being incorrectly provided, on a multi-protocol network. Looking up the hostname returns an IP other than what appears this name is associated with locally. Nslookup does not have PTR (Reverse) records defined, so "nslookup ip.add.re.ss" just gives the error about not knowing the in-addr.arpa domain. nmblookup also does not return the expected name and IP pair, but the hostname in question is found in a capture file I've saved. How do I find what record this name is in, when I don't know what protocol or how it appears? Oh, and I've tried 'grep -n "string" file.cap', but obviously, with a binary capture file, you don't get much readable content; same with 'vim file.cap'. Thank you, Dragongeek asked 23 Jun '11, 14:39 dragongeek |
One Answer:
To find a string within a packet, click on Edit > Find Packet. Under "Find By:" select "string" and enter your search string in the text entry box. You'll probably want to leave "Case sensitive" unchecked. Under "Search in", the default is "Packet list" but that will only find a string that appears in the Info column of the Packet List pane, which is the one-line-per-packet summary view. There is a lot more information in most packets than what appears in the packet list Info column, so try "Packet details" and "Packet bytes". answered 23 Jun '11, 15:29 Jim Aragon |
Fantastic, thank you!