This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Can I use subnets or hosts file for manual subnet member resolution?

0

Situation: we have a host with a dynamic ip, e.g today 8.8.1.2, tomorrow 8.8.3.200. The subnet is the same 8.8.0.0/16. During the live capture we need to spot (notice) that we have one of the hosts belonging to 8.8.0.0/16 subnet.
Can we specify the subnet in HOSTS or SUBNETS file (in wireshark directory) for manual resolution of it ? I've tried to specify if in the HOSTS file

8.8.*.* oursubnethost
8.8.. oursubnethost
8.8.?.? oursubnethost
8.8.0.0/16 oursubnethost

, but it does not work...
There is a display filter for this task... Tip #17: Subnet Filters Wireshark understands CIDR (classless interdomain routing) address definitions. If you want to create a display filter for all devices who's network address starts with 10.3, use the syntax ip.addr==10.3.0.0/16. Use CIDR definitions when filtering on a subnet.

asked 23 Feb '12, 22:10

contradictor_'s gravatar image

contradictor_
1224
accept rate: 0%

2 Answers:

1

You can't do this in the hosts file. According to the Wireshark help file (I've never done it), you can do this in the subnets file using the syntax "8.8.0.0/16 subnetname".

Note that this will only work as long as there is not an exact match from the hosts file or from DNS. If there is an exact match, that name will be displayed.

Why not just use the display filter? That seems like the quickest, easiest way to spot a host belonging to a particular subnet. If you use partial name resolution using the subnets file, you might not notice a host belonging to the subnet of interest during a live capture if there is a lot of other traffic and the display is scrolling quickly. If you apply the display filter, you will see the traffic from that subnet, since it will be the only traffic displayed.

Even in a saved capture file it might be hard to spot the host you're interested in if its traffic is mixed in with a lot of traffic from other subnets, unless you use a display filter.

answered 24 Feb '12, 13:53

Jim%20Aragon's gravatar image

Jim Aragon
7.2k733118
accept rate: 24%

Thanks... I'm not waiting for a specific subnet host. I'm planning to make a list of around 50 subnets(giving a nickname to each) and want to instantly see the nickname when one of these 50 subnets appears."A lot of traffic" is already filtered out. And following display filter could do the job ip.addr==9.9.0.0/16 or ip.addr==8.8.0.0/16 or ip.addr==7.7.0.0/16 ... (specifing 50 subnets in one filter). Thanks again.

(24 Feb '12, 15:03) contradictor_

If that's the case, then it sounds like the subnets file is exactly what you want. After I posted my answer, I was able to test, and it worked with no problems on the first try.

(24 Feb '12, 16:05) Jim Aragon

It's true, that " this will only work as long as there is not an exact match from the hosts file or from DNS. If there is an exact match, that name will be displayed." So my assigned NICKNAMES for subnets do NOT appear, if wireshark can resolve from DNS =(

(24 Feb '12, 19:56) contradictor_

0

It's possible to generate a HOSTS file with (255x255=65025) 65025 entries like this

8.8.0.1 oursubnethost
8.8.0.158 oursubnethost
8.8.0.254 oursubnethost
8.8.222.235 oursubnethost
8.8.254.111 oursubnethost

Will this be too hard for wireshark to manage? The hardware is ok.

answered 26 Feb '12, 03:47

contradictor_'s gravatar image

contradictor_
1224
accept rate: 0%

edited 26 Feb '12, 03:48

1

Don't know. I haven't heard of anyone trying to use a Wireshark hosts file that large. Try it and let us know. Here's another possibility to highlight traffic from the systems you're interested in. Create a coloring rule and put it at the top of the coloring rule list. Something like "ip.src==8.8.0.0/16".

(26 Feb '12, 10:19) Jim Aragon