User Guide
7.7. Name Resolution
Name resolution tries to resolve some of the numerical address values into a human readable format.
There are two possible ways to do these conversations, depending on the resolution to be done: call-
ing system/network services (like the gethostname function) and/or evaluate from Wireshark specif-
ic configuration files. For details about the configuration files Wireshark uses for name resolution
and alike, see Appendix A, Files and Folders.
The name resolution feature can be en-/disabled separately for the protocol layers of the following
sections.
7.7.1. Name Resolution drawbacks
Name resolution can be invaluable while working with Wireshark and may even save you hours of
work. Unfortunately, it also has its drawbacks.
• Name resolution will often fail. The name to be resolved might simply be unknown by the
name servers asked or the servers are just not available and the name is also not found in Wire-
shark's configuration files.
• The resolved names are not stored in the capture file or somewhere else. So the resolved
names might not be available if you open the capture file later or on a different machine. Each
time you open a capture file it may look "slightly different", maybe simply because you can't
connect to a name server (which you could connect before).
• DNS may add additional packets to your capture file. You may see packets to/from your ma-
chine in your capture file, which are caused by name resolution network services of the machine
Wireshark captures from. XXX - are there any other such packets than DNS ones?
• Resolved DNS names are cached by Wireshark. This is required for acceptable performance.
However, if the name resolution information should change while Wireshark is running, Wire-
shark won't notice a change to the name resolution information once it gets cached. If this in-
formation changes while Wireshark is running, e.g. a new DHCP lease takes effect, Wireshark
won't notice it. XXX - is this true for all or only for DNS info?
Tip!
The name resolution in the packet list is done while the list is filled. If a name could be
resolved after a packet was added to the list, that former entry won't be changed. As
the name resolution results are cached, you can use "View/Reload" to rebuild the pack-
et list, this time with the correctly resolved names. However, this isn't possible while a
capture is in progress.
7.7.2. Ethernet name resolution (MAC layer)
Try to resolve an Ethernet MAC address (e.g. 00:09:5b:01:02:03) to something more "human read-
able".
ARP name resolution (system service): Wireshark will ask the operating system to convert an Eth-
ernet address to the corresponding IP address (e.g. 00:09:5b:01:02:03 -> 192.168.0.1).
Ethernet codes (ethers file): If the ARP name resolution failed, Wireshark tries to convert the Eth-
ernet address to a known device name, which has been assigned by the user using an ethers file (e.g.
00:09:5b:01:02:03 -> homerouter).
Ethernet manufacturer codes (manuf file): If neither ARP or ethers returns a result, Wireshark
tries to convert the first 3 bytes of an ethernet address to an abbreviated manufacturer name, which
has been assigned by the IEEE (e.g. 00:09:5b:01:02:03 -> Netgear_01:02:03).
Advanced Topics
143