Wireshark name resolution

As I mentioned in a previous post, if you’re troubleshooting an issue using wireshark, especially if you’re using IPv6, it can be a headache to keep track of which IP is which in a complex network. Imagine trying to write down or memorize the following IP addresses in the packet capture:


Wireshark can real the local hosts file (/etc/hosts or C:\windows\system32\drivers\etc\hosts) but using this to give arbitrary mappings between IPs and hostname is not a good idea since it may mess up your day-to-day connectivity

Instead, it’s a better idea to create a hosts file in C:\Program Files\Wireshark. Just create a file named “hosts” (no extension) and using the normal syntax add the IP to host mappings. For example:

fc00::2d0:83ff:fe05:685 PROXY6
fc00::20c:29ff:fe75:25fa CENTOS

Turn on network name resolution in wireshark via the edit > preferences > Name Resolution menu and enable the “enable network name resolution” option. Close and restart wireshark.

You should now have a much easier to read pcap:



Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s