HakTip 123 – Wireshark 101: Name Resolutions and Flow Graphs
On today’s HakTip, Shannon defines how Wireshark interprets name resolutions, and how to view flow graphs.
Today we’re checking out Wireshark and Name Resolutions!
Let’s talk about name resolutions! This is used in several programs to convert one address into another, such as changing a computer’s MAC address to something that makes sense, such as a DNS or ARP .com name. You can enable these under Capture –> Options. Resolve MAC addresses means Wireshark will try to resolve the layer 2 or 3 MAC address. Resolve network-layer names means Wireshark will try to convert something like an IP address into an easier to interpret DNS name. Resolve transport-layer name means Wireshark will try to convert a port number, like port 80, into whatever that port stands for, like http. Keep in mind, name resolution doesn’t always work. Your network needs to be set up correctly to interprety DNS names, and these servers have to be online to work every time you run a capture. It also requires a bit more power under the hood as well.
Here’s something cool. Click Statistics –> Packet Lengths and click Create Stat. Most of the packets are between 1280 and 2559 bytes. These are usually data. The second largest packet length is 40-79 in bytes. These are most likely just protocol control commands.
Now let’s take a look at another Graph. There are a lot of graphs you can use in Wireshark for different things, and this one is pretty cool. It’s called the Flow Graph. Open it by going to Statistics –> Flow Graph. Pick your options, such as which packets to show, flow type, and node address type.Click OK and the graph will compile. You’ll see time stamps, Comments about eah packet, and in the middle, an analysis of each packet with the source and destination. This can help you visualize each packet flow during your packet capture.
Now for a bit of feedback!
Howie says: Hi! I just recently watched you video “Wireshark 101: Downloading, Displaying, and the BPF Syntax! HakTip 117” from your youtube channel and thought it was great to see more about BPF’s (I’ve been researching them for a while and the information is somewhat scarce).
One point I was a little unclear from the video was the capture filters. From what I understand, the capture filters are BPF’s, however, the filter section on the main screen of Wireshark uses display filters, which is a separate filter function. The video made it seem like you would enter in a BPF on the main screen which I don’t think is the case.
Howie, you’re right! There is a difference and I didn’t clearly specify between the two. BPF filters are different from display filters, which are just used to show you a screening of specific packets from the whole list. BPF filters are created before you start your capture. The two are also different in syntax. You cannot use a display filter in the BPF syntax and vice versa. I hope that cleared up some of the confusion!
Let me know what you think. Send me a comment below or email us at [email protected]. And be sure to check out our sister show, Hak5 for more great stuff just like this. I’ll be there, reminding you to trust your technolust.