This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

IP name resolution not working

0

How to convert source and destination ip address to host names, i was trying to open datasets of netflow data traces or wireless strength data traces. when i go to edit>preferences and enable the name resolution options nothing really works on wireshark 2.03

asked 06 May '16, 11:36

prajwal's gravatar image

prajwal
6112
accept rate: 0%

edited 20 Jul '16, 15:52

cmaynard's gravatar image

cmaynard ♦♦
9.4k1038142


2 Answers:

0

Name resolution should work as you expect--assuming that the computer you're running Wireshark on now has access to a DNS server (or hosts file) that can resolve those IP addresses to names. (As Shawn points out it can also be done based on DNS packets you captured. But normally name resolution does not need to enabled while you're capturing.)

Two possibilities exist:

  1. Did you also enable the name resolution to use external name resolvers?
  2. You could be running into bug 12384. See the bug for how to work around it.

answered 06 May '16, 15:26

JeffMorriss's gravatar image

JeffMorriss ♦
6.2k572
accept rate: 27%

Hi Jeff,

I did try out adding filters as u mentioned in bug12384, but no help either.

I was using my work laptop i will try accessing in my personal pc.

let you guys know if any update.

(09 May '16, 11:30) prajwal

What about the first question (do you have external name resolution enabled)?

One thing you could check is whether your PC is generating name requests--using Wireshark of course :-).

(09 May '16, 11:58) JeffMorriss ♦

I apologize if I underestimate you, but are the IP addresses you want to convert to hostnames public ones? I.e. does any PTR record actually exist for them anywhere? Even if they are public, what does nslookup ip.add.re.ss (Windows) or dig -x ip.add.re.ss (Linux) show for these addresses? Even some public addresses miss a PTR record in DNS so they cannot be resolved to hostnames.

Also, as you specifically mention Wireshark 2.0.3 and specific types of capture files (which don't sound like pcap or pcapng to me), the best thing would be if you could publish, login-free, an example of a real file you deal with in each of those formats somewhere (cloudshark is preferred by this site's community but may possibly not like non-pcap(ng) files, so in this particular case better use Dropbox, Google Drive, ...) and put links to them here. This should give us a better insight on the root cause of your issue.

(09 May '16, 13:50) sindy

-1

Hi prajwal,

Convert source and destination ip addresses to host names where?

If you mean in the WireShark Packet List pane, then go to Capture Interfaces > Options tab > Name Resolution and check "Resolve network names".

In short, it must be done in Capture > Options > Options tab > Name Resolution before a particular capture, not just enabled globally in Edit > Preferences.

This must be done before the capture is started.

This will actually create DNS "PTR" queries against whatever DNS resolvers you have configured in your operating system settings.

Hope this helps, Shawn

answered 06 May '16, 13:28

shawncarroll's gravatar image

shawncarroll
0112
accept rate: 0%

edited 06 May '16, 13:32

I was opening files previously captured which I have downloaded on internet. Some suggested me that she saw other guy replacing them with hostname, we could also convert the source IP addresses in that files also, You are saying that it couldn't be done I will just inform her we can't unless its live capture.

(06 May '16, 13:54) prajwal

Your answer has been converted to a comment as that's how this site works. Please read the FAQ for more information.

(06 May '16, 14:41) Jaap ♦

As mentioned in my answer, there's normally no reason you need to enable name resolution while capturing; name resolution should work after a capture is done too.

(06 May '16, 15:27) JeffMorriss ♦