First time here? Check out the FAQ!
THIS IS A TEST INSTANCE. Feel free to ask and answer questions, but take care to avoid triggering too many notifications.
Ask Your Question
0

How to resolve a large list of IP addresses?

  • retag add tags

Hi. I have files with a lot of captured traffic which I want to analyse. But when I use Wireshark, turning on "Resolving addresses" it is working very slow, program starts lagging, etc. So I can't to analyse a list of Endpoints where I was connecting.

So I supposed I should try to resolve IP addresses in another way. I want to copy all IPs from Statistics -> Endpoints -> IPv4 and resolve this list in any different ways. I guess it should be much faster (because I already tried to analyse my dumps in another PC, another system and it is still lagging so much) and more efficient. So, could you please give a hint how could I export all Endpoints IPv4 addresses and resolve it as fast as possible.

neverxxsleep's avatar
1
neverxxsleep
asked 2021-07-08 14:53:44 +0000
edit flag offensive 0 remove flag close merge delete

Comments

add a comment see more comments

1 Answer

0

To get the IPs, use tshark with the -z endpoints,<type> option, setting type appropriately, e.g. "ip" for IPv4 addresses. You'll also need the -q and -n flags to suppress normal output and disable name resolution respectively, e.g.

 tshark -r mycapture.pcap -q -n -z endpoints,ip

You may find that using tshark you can enable name resolution and the load won't be too bad by removing the -n option.

See the tshark man page for all the -z endpoints,... options.

grahamb's avatar
23.8k
grahamb
answered 2021-07-08 15:33:51 +0000, updated 2021-07-08 15:36:36 +0000
edit flag offensive 0 remove flag delete link
more

Comments

Thank you! It helped me so much. It is exporting and resolving much faster than earlier. But could you please prompt me what can I do with not resolved IPv4 addresses? Are there any methods so I could upload a list of IP addresses that not resolved (maybe there any programs or sites) and get it resolved? I am fully newbie in this, and I find it difficult to understand something from documentation. It's great that Wireshark has such pretty good support :)

neverxxsleep's avatar neverxxsleep (2021-07-08 22:55:38 +0000) edit
more
  • delete

Wireshark uses a resolver library, c-ares to resolve IP addresses to names and it will use the DNS servers set in the Name Resolution preferences. I think that if that list is empty it uses the host DNS config to find DNS servers.

If IP's can't be resolved then either the query is being sent to the wrong DNS servers (i.e. the IP's are internal (non-public) so you need to use an internal DNS server or there is indeed no DNS reverse record for them.

Can you give an example of one IP that doesn't resolve?

grahamb's avatar grahamb (2021-07-09 07:51:45 +0000) edit
more
  • delete
add a comment see more comments

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account. This space is reserved only for answers. If you would like to engage in a discussion, please instead post a comment under the question or an answer that you would like to discuss.

Add Answer