[Winpcap-users] How does WinCap resolve IP addresses?

Richard Brooks richardbuk at sky.com
Sun Dec 20 09:05:33 PST 2009

How does WinCap resolve IP addresses? 

I am writing an interface to Snort's MySQL database. The interface currently
uses nslookup to try and resolve ip addresses to their human friendly names,
but WinCap is doing a much better job than nslookup. For example using
nslookup ip address '' resolves to 'gv-in-f208.1e100.net',
however WinCap correctly resolves this ip address to the much more
meaningful 'bskyb-pop3-ssl.l.google.com', which is much more descriptive
than the previous effort.

The Snort interface I am writing relies on addresses that look out of place
when resolved to their human friendly names. For example to help the user of
the interface spot addresses that are non-commercial (i.e. a hacker/zombie
machine rather than say 'www.amazon.com').

What makes things even worst, is than many times nslookup returns the likes
of 'The requested name is valid, but no data of the requested type was

If anyone has any ideas on what WinCap is using to resolve ip addresses, I'd
be most grateful if they would let me in on it?

<RichardBUK at Sky.com>

More information about the Winpcap-users mailing list