How should I correctly use "Resolving names"?

retag add tags

Hello. I tried different settings of my wireshark (like this and this). But when I am opening file with my captured 150k packets, I want to check statistics with "Endpoints". But I cannot do it normally because it is lagging. I think my PC is good enough to solve this task, so I guess the problem is in my settings.

When I open "Endpoints", sort it by value, and then tick the box "Resolving names" - it starts lagging, and after 1-2 seconds a tick from the box disappears, so I need to click every second and try to see any resolved ip adresses.

Are there any ways to fix it, to do it automatically so that I wouldn't need to click this tick every second??

neverxxsleep

asked 2021-06-24 11:22:01 +0000, updated 2021-06-24 13:06:51 +0000

edit flag offensive 0 remove flag close merge delete

Comments

What is your Wireshark version?

Some of your questions\statements are confusing, possibly down to language translation issues:

In Endpoints you "sort it by value", do you mean Address?
In the Endpoints dialog, what tab are you using Ethernet\IP ...?
What is the checkbox "Resolving Names", do you mean "Name Resolution"?

grahamb (2021-06-24 12:24:41 +0000) edit

Version 3.4.6

I mean sort it by value of packets (ascending). I am using IPv4 tab. Yes, I meant "Name resolution". here is this tick-box

I would wish that when I go to the Endpoints it would automatically start Name resolution so I don't need clicking "Name resolution" every second, which makes program very laggy

neverxxsleep (2021-06-24 13:06:21 +0000) edit

add a comment see more comments

1 Answer

Sort by

oldest

newest

most voted

To resolve IP's to names requires looking up those names, they can come from a number of sources, a local file, a local DNS resolver (which may have some items cached) or another DNS resolver elsewhere.

Regardless of how it's done, anything other than a local file (or local cache) will take some time to recursively resolve the names to IP's and with many names, this will take some time, this is the reason the box is unchecked by default.

By default Wireshark will use an asynchronous internal DNS resolver (C-Ares) and allow up to 500 concurrent requests. This can be adjusted in the Preferences -> Name Resolution options.

More information about Name Resolution can be found in the User Guide.

23.8k

grahamb

answered 2021-06-24 13:43:53 +0000

edit flag offensive 0 remove flag delete link

Comments

Yes, but ...

after 1-2 seconds a tick from the box disappears

That sounds like a bug to me, one that could be reported on the Wireshark Issue Tracker. If the user selects Name resolution, then I think it's a reasonable expectation that it remain selected. In fact, this behavior is easily reproducible during a live capture. For now, I'd recommend not resolving IP addresses during a live capture but only after you've stopped capturing.

cmaynard (2021-06-24 13:59:38 +0000) edit

Statistics -> Conversations is similarly affected regarding the state of the Name resolution checkbox.

cmaynard (2021-06-24 14:23:23 +0000) edit

I wonder if the C-Ares run "completes" for the IP's captured so far so name res is disabled again.

grahamb (2021-06-24 14:29:53 +0000) edit

Open issue:
16303: Endpoint "name resolution" checkbox gets cleared on refresh screen

Chuckc (2021-06-24 15:37:19 +0000) edit

add a comment see more comments

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account. This space is reserved only for answers. If you would like to engage in a discussion, please instead post a comment under the question or an answer that you would like to discuss.

Add Answer

How should I correctly use "Resolving names"? edit

Comments

1 Answer

Comments