1

I can't seem to get the right information using Wireshark.

I'm capturing on my wireless network, and I want to be able to inspect packets coming from users on my network.

After capturing, I apply this filter: http.request.method == "GET" || http.request.method == "POST"

The packets that come from my machine have my IP address as source, and the destination in plain text, such as "askubuntu.com". However, when it's anyone else, it won't display the destination in plain text, but rather as an address such as "12.34.56.789" and looking a the packet data gives me no clues as to the final destination. When the packets come from my PC, they look like this:

Any help would be greatly appreciated.

EDIT: When I try to use a DNS lookup on the addresses given by other machines on the network, they don't turn up anything. I can't even ping those addresses (host unreachable).

Braiam
  • 67,791
  • 32
  • 179
  • 269
qsorted
  • 58
  • 1
  • 1
  • 6
  • The packet data should include the HTTP header, which includes at least the file name on the server. Wireshark shows hosts as IP addresses, since after the package leaves its source computer, the only thing that is in the package is the IP, not the hostname. To get the hostname, you'll have to do a reverse DNS query (for instance with nslookup. – soulsource Aug 02 '13 at 17:50
  • I see, but why do I get the hostnames for my own computer? – qsorted Aug 02 '13 at 18:00
  • Because Wireshark, if configured to do so, attempts to resolve the IP address to a host name, which usually means doing the reverse DNS query in question. Whatever host resolution mechanism it uses on your OS (probably some flavor of Linux, from the "wlan0" name for the interface) is probably recognizing the local host IP address (from an /etc/hosts entry?) and giving the local host name, and finding DNS entries for the servers you're talking to on the Internet, but not finding a DNS entry for the other hosts on your network. –  May 31 '14 at 10:38

1 Answers1

1

When I try to use a DNS lookup on the addresses given by other machines on the network, they don't turn up anything.

Well, Wireshark's using DNS to translate IP addresses to names, so there's your answer. If there were DNS entries for them, they'd get resolved. Perhaps some other address-to-name resolution mechanism allows the IP address for your host to be resolved on that host.

(And, no, this has nothing whatsoever to do with the false claim that "|| behaves like && and && behaves like ||".)