[Winpcap-users] How does WinCap resolve IP addresses?

Gianluca Varenni gianluca.varenni at cacetech.com
Mon Dec 21 10:03:19 PST 2009 

In any case you are looking at a trace file with wireshark, right?  If 
that's the case, wireshark resolves the addresses.

GV

--------------------------------------------------
From: "Richard Brooks" <richardbuk at sky.com>
Sent: Monday, December 21, 2009 9:49 AM
To: <winpcap-users at winpcap.org>
Subject: Re: [Winpcap-users] How does WinCap resolve IP addresses?

> Hello Gianluca
>
> Not sure which is doing the DNS lookup. It may well be Wireshark.
>
> However looking at the traces, it looks like there is some kind of web
> service interaction going on that provides better name resolution than
> nslookup.
>
> Any ideas?
>
> Regards
> Richard
> <RichardBUK at Sky.com>
>
>
>
> -----Original Message-----
> From: winpcap-users-bounces at winpcap.org
> [mailto:winpcap-users-bounces at winpcap.org] On Behalf Of Gianluca Varenni
> Sent: 20 December 2009 20:37
> To: winpcap-users at winpcap.org
> Subject: Re: [Winpcap-users] How does WinCap resolve IP addresses?
>
> Uhm, WinPcap doesn't perform any reverse resolution (IP-->hostname). Are 
> you
>
> talking about winpcap or wireshark?
>
>
> Have a nice day
> GV
>
> --------------------------------------------------
> From: "Richard Brooks" <richardbuk at sky.com>
> Sent: Sunday, December 20, 2009 9:05 AM
> To: <winpcap-users at winpcap.org>
> Subject: [Winpcap-users] How does WinCap resolve IP addresses?
>
>> How does WinCap resolve IP addresses?
>>
>> I am writing an interface to Snort's MySQL database. The interface
>> currently
>> uses nslookup to try and resolve ip addresses to their human friendly
>> names,
>> but WinCap is doing a much better job than nslookup. For example using
>> nslookup ip address '216.239.59.208' resolves to 'gv-in-f208.1e100.net',
>> however WinCap correctly resolves this ip address to the much more
>> meaningful 'bskyb-pop3-ssl.l.google.com', which is much more descriptive
>> than the previous effort.
>>
>> The Snort interface I am writing relies on addresses that look out of
>> place
>> when resolved to their human friendly names. For example to help the user
>> of
>> the interface spot addresses that are non-commercial (i.e. a 
>> hacker/zombie
>> machine rather than say 'www.amazon.com').
>>
>> What makes things even worst, is than many times nslookup returns the
>> likes
>> of 'The requested name is valid, but no data of the requested type was
>> found'.
>>
>> If anyone has any ideas on what WinCap is using to resolve ip addresses,
>> I'd
>> be most grateful if they would let me in on it?
>>
>> Regards
>> Richard
>> <RichardBUK at Sky.com>
>>
>>
>>
>> _______________________________________________
>> Winpcap-users mailing list
>> Winpcap-users at winpcap.org
>> https://www.winpcap.org/mailman/listinfo/winpcap-users
>
> _______________________________________________
> Winpcap-users mailing list
> Winpcap-users at winpcap.org
> https://www.winpcap.org/mailman/listinfo/winpcap-users
>
> _______________________________________________
> Winpcap-users mailing list
> Winpcap-users at winpcap.org
> https://www.winpcap.org/mailman/listinfo/winpcap-users

More information about the Winpcap-users mailing list