Network Analysis Using Wireshark 2 Cookbook(Second Edition)
上QQ阅读APP看书,第一时间看更新

Name resolution preferences

Wireshark supports name resolution in three layers:

  • Layer 2: By resolving the first part of the MAC address to the vendor name. For example, 14:da:e9 will be presented as AsusTeckC (ASUSTeK Computer Inc.).
  • Layer 3: By resolving IP addresses to the DNS names. For example, 157.166.226.46 will be resolved to www.edition.cnn.com.
  • Layer 4: By resolving TCP/UDP port numbers to port names. For example, port 80 will be resolved as HTTP, and port 53 as DNS.

In the following screenshot, you can see how to configure name resolution in the Preferences window:

In this window, you can configure, from top to bottom:

  • Layer 2, 3, and 4 name resolution.
  • How to perform name resolution: by DNS and/or hosts file, and what the maximum number of concurrent DNS requests is (so the software will not be overloaded).
  • Simple Network Management Protocol (SNMP), object identifiers, IDs, and whether we want to translate them to object names.
  • GeoIP and whether we want to use it. For further information about this, see
    Chapter 10Network Layer Protocols and Operations.
In TCP and UDP, there is a meaning only to the destination port that the client initially opens the connection. The source port that the connection is opened from is a random number (higher than 1,024) and therefore there is no meaning to its translation to a port name.
  • The Wireshark default is to resolve layer 2 MAC addresses and layer 4 TCP/UDP port numbers. Resolving IP addresses can slow down Wireshark due to the large amount of DNS queries that it uses, so use it carefully.