Wireshark-dev: Re: [Wireshark-dev] How does Wireshark do name resolution?
From: Guy Harris <guy@xxxxxxxxxxxx>
Date: Wed, 6 Jan 2010 12:42:10 -0800
On Jan 6, 2010, at 12:17 AM, Richard Brooks wrote:

> I am writing an interface to Snort's MySQL database. The interface currently
> uses nslookup to try and resolve ip addresses to their human friendly names,
> but Wireshark is doing a much better job than nslookup. For example using
> nslookup ip address '216.239.59.208' resolves to 'gv-in-f208.1e100.net',
> however Wireshark correctly resolves this ip address to the much more
> meaningful 'bskyb-pop3-ssl.l.google.com', which is much more descriptive
> than the previous effort.

"Correctly"?

	$ host bskyb-pop3-ssl.l.google.com   
	bskyb-pop3-ssl.l.google.com has address 74.125.127.208

Doesn't look like 216.239.59.208 to me.  Do you have "host" on your machine?  If so, what does it resolve bskyb-pop3-ssl.l.google.com to?  And what do you get for "host -a 216.239.59.208", "host -a gv-in-f208.1e100.net", and "host -a bskyb-pop3-ssl.l.google.com"?