Name Resolution

Resolve to Analyze
5 min |  Ross Jacobs |  July 7, 2019

Table of Contents

Quicklinks: docs

Name resolution allows you to see more information about various PDU fields. Wireshark is intelligent and uses ARP and DNS lookups in the capture to add context when they are available.

The -n option of tshark disables all name resolutions. The big one it blocks is DNS queries to external resolvers. Using -n will not change the resulting pcap file, but will decrease tcpdump/tshark resource usage.

Using Tshark Flags

The highlighted “data sources” listed here are files in the profiles folder.

Flag Resolves Data Source Other Notes
-Nm mac ethers
-Nv vlan vlans
-Nt port services
-Nn dns system hosts To use only Wireshark’s hosts file, use -o nameres.hosts_file_handling:TRUE
-NN dns Use external resolvers -o 'nameres.dns_pkt_addr_resolution:TRUE'
-Nd dns Use capture file’s
DNS responses
-o 'nameres.use_external_name_resolver:TRUE'
-H $file dns $file you specify -Wn; Adds DNS info from a file for this session; Requires -Nn

Here, ethers, vlans, services, hosts are loaded by *shark from the global/personal config directory (See Wireshark Docs).

With tshark, you can specify preferences manually with -o key:value as shown in “Other Notes” or by adding these to the preferences file directly. To change preferences, ethers, vlans, services, hosts, and others, check out Editing Config Files.

On Editing the System’s Hosts File

It is best practices not to manually edit your system’s hosts file unless you keep immaculate documentation and can read your colleagues’ minds. It is easy to make a change, forget about it, and then have a “mystery” network problem 6 months later.

It was DNS

Example: Using All Resolution Types

You cannot override the default names for well-known mac addresses (wka). For example, ff:ff:ff:ff:ff:ff will be “Broadcast” and 01:00:0c:cc:cc:cd will be PVST+ regardless of your settings. A full list is available at Wireshark’s wka file.

Thanks to Wireshark’s Sample Captures, we have a file from last millennium with VLANs, IPX, AppleTalk, IPv4, TCP, X11, STP, and RIP. Clearly, the best party going on in late 1999 was in a network.

manuf, ethers, vlans, ipxnets, and services files don’t seem to resolve anything. It looks like this might be fixed in v3.1.0 (develop), but requires more testing.

* manuf resolves OUIs
* ethers resolves mac addresses to hostnames
* vlans resolves vlan ids to vlan names
* subnets resolves ipv4 subnets to names
* ipxnets resolves ipx networks to names
* services resolves tcp ports to services
* hosts resolves ipv4 addresses to names

You can (download) this profile into your personal profile folder and untar or run this two liner that does the same thing.

# Get your personal profile directory with grep and awk
personal_dir="$(tshark -G folders | grep "nal c" | awk -F':\t*' '{print $2"/profiles"}')"
# Untar and save VLAN profile to your personal profile directory
curl | tar xvz -C $personal_dir

To demonstrate the hosts and subnets file, we are going to use tshark’s columnar %uns (unresolved net source addr), %und (resolved net dest addr), %rns (resolved net source addr), and %rnd (resolved net source addr). To see all of the available column fields to tshark for columnar output, check the output of tshark -G column-formats.

In this example, we are looking at all unique IP conversations and not using name resolution or our profile.

# Read the file, filter out IPX, and output unique conversations between IP addresses.
bash$ tshark -r /tmp/vlan.cap -o 'gui.column.format:"Source Net Addr","%uns","Dest Net Addr", "%und"' -Y "ip" | sort | uniq → → → → → → → → → → → → → → → → →

In this example, we are looking at conversations between resolved network addresses. Information from both the hosts file and subnets file is used. I’ve aliased the broadcast address to “AVENGERS_ASSEMBLE!!!” as it might be something they would broadcast.

# Read the file, filter out IPX, and output unique conversations between resolved IP addresses and subnets using data from a profile.
bash$ tshark -r /tmp/vlan.cap -C vlan_profile -o 'gui.column.format:"Source Net Addr","%rns","Dest Net Addr", "%rnd"' -Y "ip" | sort | uniq
 Black.Widow → LAN_OF_MILK_AND_HONEY.3.255
Captain.America → AVENGERS_ASSEMBLE!!!
Captain.Marvel → AVENGERS_ASSEMBLE!!!
Doctor.Strange → Rocket.Raccoon
      Falcon → AVENGERS_ASSEMBLE!!!
       Groot → AVENGERS_ASSEMBLE!!!
     Hawkeye → AVENGERS_ASSEMBLE!!!
        Hulk → Rocket.Raccoon
      Nebula → VLADIMIR_COMPUTIN.255
 Quicksilver → AVENGERS_ASSEMBLE!!!
Rocket.Raccoon → Doctor.Strange
Rocket.Raccoon → Hulk        
        Thor → Black.Panther
        Wasp → VLADIMIR_COMPUTIN.255

There are a couple things to note here. First, I made sure to add this capture’s IP addresses (with names) to the profile’s hosts file. There are no unresolved addresses. Secondly, there is a “VLADIMIR_COMPUTIN.255” and “LAN_OF_MILK_AND_HONEY.3.255”. These are both subnet names from the subnets file. I did not put any IPs ending in .255 into the hosts file, so tshark defaults to the subnet name for these addresses.

# Relevant subnet file entries

The reason that the LAN_OF_MILK_AND_HONEY ends in 3.255 is because that is the unresolved component (and broadcast address) of a /22.

Further Reading