Wireshark · Ethereal-dev: Re: [Ethereal-dev] Etheral 0.10.4 Suggestions and Thoughts.

Ethereal-dev: Re: [Ethereal-dev] Etheral 0.10.4 Suggestions and Thoughts.

Note: This archive is from the project's previous web site, ethereal.com. This list is no longer active.

From: Guy Harris <gharris@xxxxxxxxx>

Date: Wed, 19 May 2004 23:18:21 -0700

On Mon, May 17, 2004 at 01:01:00PM -0500, Alan Jones wrote:

> I have not been able to figure out Etheral's name resolution options
> compared to other network sniffing tools like Capsa.  Etheral seems to
> resolve our server names, but not most of our machine names.  Is this a
> vs Netbios thing? Capsa the other program I have used that is like
> Etheral seems to be able to resolve our local machine names.

If you're referring to name resolution for IP addresses, Ethereal either

	1) uses the native OS's "gethostbyaddr()" function

or

	2) uses GNU ADNS

to resolve IPv4 addresses, and uses "gethostbyaddr()" to resolve IPv6
addresses.

The "gethostbyaddr()" on UN*X systems probably won't use any
NetBIOS-over-TCP mechanism to resolve IP addresses, so a host that
doesn't have any entry in any of the mechanisms "gethostbyaddr()" *does*
uses (e.g., "/etc/hosts", NIS, or DNS) will not have its IP address
mapped to a name even if it does respond to NetBIOS name service status
requests.

The "gethostbyaddr()" on Windows will use NetBIOS-over-TCP, so it'll
find those hosts.  Unfortunately, that also means it'll take a Really
Long Time to *fail* to find the name of an IP address for a machine
that, for whatever reason (not being up, not being reachable by the
machine running Ethereal, not doing any NetBIOS stuff), if there's no
hosts file or DNS entry (and, if "gethostbyaddr()" tries NetBIOS
mechanisms before DNS, it'd take a really long time to *succeed* if
there *is* a DNS entry, but I don't know whether it does that).

So if the machine isn't in DNS but it's running NetBIOS-over-TCP, the
name won't be resolved by a UN*X system unless that system happens to
use NetBIOS-over-TCP name resolution as one of its "gethostbyaddr()"
mechanisms.

If it's a Windows system, Ethereal should resolve those names *if* it's
configured *not* to do "concurrent DNS name resolution" - if it *is*
configured to do "concurrent DNS name resolution", it'll be using GNU
ADNS rather than "gethostbyaddr()", and, as the "DNS" in "ADNS" might
suggest, it doesn't use anything other than DNS (and *maybe*
"/etc/hosts") to resolve addresses.

> Is anyone working on improving the name resolution?

Nobody's working on having Ethereal do its own NetBIOS-over-TCP name
resolution on UN*X, or on Windows if GNU ADNS is being used, as far as I
know.

Follow-Ups:
- Re: [Ethereal-dev] Etheral 0.10.4 Suggestions and Thoughts.
  - From: Martin Regner

References:
- [Ethereal-dev] Etheral 0.10.4 Suggestions and Thoughts.
  - From: Alan Jones

Prev by Date: Re: [Ethereal-dev] Re: [PATCH] Order of subdissectors : suggestio n of a trick
Next by Date: Re: [Ethereal-dev] Etheral 0.10.4 Suggestions and Thoughts.
Previous by thread: Re: [Ethereal-dev] Etheral 0.10.4 Suggestions and Thoughts.
Next by thread: Re: [Ethereal-dev] Etheral 0.10.4 Suggestions and Thoughts.
Index(es):
- Date
- Thread

Riverbed Cascade Pilot: Take Wireshark to the Next Level - Advanced Triggers and Alerts; Web and VoIP Analytics; Long-Term Trending and Forensics; Deep Packet Analysis with Wireshark

Riverbed Cascade Pilot Personal Edition: Take Wireshark to the Next Level - Advanced Triggers and Alerts; Web and VoIP Analytics; Long-Term Trending and Forensics; Deep Packet Analysis with Wireshark

Riverbed AirPcap: Complete Visibility of Your Wireless Networks; Multi-Channel, Aggregated Analysis; Portable and Versatile; Easy to Setup and Easy to Use; Ready to Power Your Application

$Riverbed TurboCap: Full-Speed GbE Capture; Port Aggregation; Pass-thru Mode; Aggregating Tap; Full-Speed GbE Injection; Exported Interfaces; TurboCap API Developer\'s Pack$