Looking Into Wireshark’s Name Resolution
If you have been following me on my past webcasts I’ve been spending a lot of time talking about tool calibration behavior. I can not stress how important it is to understand how your tools behave.
From some of the feedback I’ve received from previous articles, some people believe that I’m looking for complicated examples to baseline which take a long time and effort. Nothing could be further from the truth. I’m simply asking you to be aware of your daily tasks with your favorite tools. As I’ve demonstrated in the past, it could be as straightforward as discovering that Cisco devices use UDP when performing a trace route, or how your protocol stack on your desktop behaves.
In this video I show how I figured out how Wireshark determines if the name is valid or not when using a capture filter.
Its important to note that this was how Wiershark behaves on my machine, looking for a local hostname. You will see a different trace if you have more protocols loaded, etc..