First time here? Check out the FAQ!
THIS IS A TEST INSTANCE. Feel free to ask and answer questions, but take care to avoid triggering too many notifications.
Ask Your Question
0

Does wireshark account for Adjusted host files? [closed]

I have a system I am blocking specific IP addresses using the hosts file in windows, however wireshark shows the a connection being attempted to that IP address. I can't seem to see where it is resolving to.

Ex: Hosts file shows:

64.233.185.102 127.0.0.1

Ip address doesn't resolve in any browser, however wireshark will show the call being made but not where it resolves to. unless I'm missing something.

Ka0sDem0n's avatar
1
Ka0sDem0n
asked 2020-05-14 13:52:27 +0000
edit flag offensive 0 remove flag reopen merge delete

Closed for the following reason "the question is answered, right answer was accepted" by Ka0sDem0n 2020-05-14 15:28:55 +0000

Comments

add a comment see more comments

1 Answer

0

I don't think you understand what the hosts file does, it's for resolution of hostnames to IP addresses, it does not map IP addresses to other IP addresses.

When applications attempt to connect to a remote host, e.g. www.wireshark.org, that hostname must be resolved to an IP address. Depending on the application, it may make a lookup of the hostname in the hosts file and if found the IP address for that hostname is returned.

Also note your format is incorrect for a Windows host file, if you wanted to redirect www.wireshark.org to 127.0.0.1 you would use

127.0.0.1    www.wireshark.org

that is <resolved IP> < host name>

grahamb's avatar
23.8k
grahamb
answered 2020-05-14 14:13:31 +0000
edit flag offensive 0 remove flag delete link
more

Comments

You are correct, when I tested this previously it had the intended impact on the system, and I couldn't contact the remote host. I need to find a solution to stop an application making a call to a remote IP address. I may have to just do this through the built in firewall.

Ka0sDem0n's avatar Ka0sDem0n (2020-05-14 14:45:35 +0000) edit
more
  • delete

You could add a null route for the target address, e.g. using an elevated prompt:

route add <targetIP> <IP of your gateway> if 1

where <IP of your gateway> is your default gateway, usually your router. If you want to make this permanent over reboots, then add -p, .e.g route -p add ....

To delete the route use:

route delete <targetIP>
grahamb's avatar grahamb (2020-05-14 15:08:43 +0000) edit
more
  • delete

Could I replace <IP of your gateway> with '127.0.0.1' ? I would like it back to local host to not cause any potential networking issues with client networks.

Ka0sDem0n's avatar Ka0sDem0n (2020-05-14 15:17:52 +0000) edit
more
  • delete

No. Note due to the mask defaulting to 255.255.255.255 only the specific targetIP will be affected on the machine you have added the route to. If you examine the route after adding it you'll see that if 1 is 127.0.0.1

grahamb's avatar grahamb (2020-05-14 15:23:04 +0000) edit
more
  • delete

Also note that this question and the subsequent conversation is off-topic for this site as it has nothing to do with Wireshark

grahamb's avatar grahamb (2020-05-14 15:26:52 +0000) edit
more
  • delete
add a comment see more comments