Listing all resolvable hostnames in Wireshark is very easy. This makes interpreting a capture much easier.
Go to Edit->Preferences->Name Resolution.
Then tick the following options.
- Resolve Transport Name’
- ‘Resolve Network (IP) addresses
Just like in this screenshot.
Then, navigate to Statistics->Conversations and tick the Name Resolution box to see the resolved hostnames.
This is a very simple trick to use when reading a Wireshark capture. At least you can see what websites are being used, even though they are using SSL. Click the IPv4 option to see a comprehensive list of all hostnames. Clicking the Ethernet option will show only the node names on the LAN. Such as the network card in your PC and the gateway device you are connected to. Same with the IPv6 option. it is limited when using Wireshark, but at least it is possible to see what website is being visited, even if the URLs can not be seen.
To filter for a certain website in the main Wireshark window, use this filter.
ssl contains "youtube" |
List all packets originating from a certain IP address.
ip.src == 192.168.1.5/16 |
This is very effective to look for activity from a particular machine on the network.
No. Time Source Destination Protocol Length Info 46 3.369652448 192.168.1.5 i.4cdn.org UDP 87 48325 → https(443) Len=45 48 3.408344779 192.168.1.5 i.4cdn.org UDP 88 48325 → https(443) Len=46 49 4.310013578 192.168.1.5 youtube-ui.l.google.com UDP 1285 41481 → https(443) Len=1243 50 4.310044289 192.168.1.5 youtube-ui.l.google.com UDP 1292 41481 → https(443) Len=1250 51 4.310051930 192.168.1.5 youtube-ui.l.google.com UDP 1062 41481 → https(443) Len=1020 54 4.334204243 192.168.1.5 youtube-ui.l.google.com UDP 74 41481 → https(443) Len=32 56 4.441018794 192.168.1.5 youtube-ui.l.google.com UDP 81 41481 → https(443) Len=39 59 4.450452550 192.168.1.5 youtube-ui.l.google.com UDP 75 41481 → https(443) Len=33 63 7.818931082 192.168.1.5 youtube-ui.l.google.com UDP 71 47592 → https(443) Len=29 65 7.908551631 192.168.1.5 i.4cdn.org UDP 337 59048 → https(443) Len=295 68 8.093204835 192.168.1.5 i.4cdn.org UDP 329 59048 → https(443) Len=287 69 8.111573992 192.168.1.5 i.4cdn.org UDP 88 59048 → https(443) Len=46 72 8.152502430 192.168.1.5 i.4cdn.org UDP 88 59048 → https(443) Len=46 74 8.298403341 192.168.1.5 i.4cdn.org UDP 88 59048 → https(443) Len=46 76 8.339674123 192.168.1.5 i.4cdn.org UDP 88 59048 → https(443) Len=46 77 8.415093297 192.168.1.5 i.4cdn.org UDP 341 48325 → https(443) Len=299 80 8.598745418 192.168.1.5 i.4cdn.org UDP 333 48325 → https(443) Len=291 82 8.617041921 192.168.1.5 i.4cdn.org UDP 88 48325 → https(443) Len=46 85 8.655210493 192.168.1.5 i.4cdn.org UDP 88 48325 → https(443) Len=46 87 8.802122950 192.168.1.5 i.4cdn.org UDP 88 48325 → https(443) Len=46 89 8.840743965 192.168.1.5 i.4cdn.org UDP 88 48325 → https(443) Len=46 90 9.048928941 192.168.1.5 i.4cdn.org UDP 339 48325 → https(443) Len=297 93 9.233918894 192.168.1.5 i.4cdn.org UDP 331 48325 → https(443) Len=289 94 9.252163731 192.168.1.5 i.4cdn.org UDP 88 48325 → https(443) Len=46 97 9.291263043 192.168.1.5 i.4cdn.org UDP 88 48325 → https(443) Len=46 100 9.507022225 192.168.1.5 i.4cdn.org UDP 87 48325 → https(443) Len=45 103 9.556540062 192.168.1.5 i.4cdn.org UDP 87 48325 → https(443) Len=45 105 9.588704373 192.168.1.5 i.4cdn.org UDP 88 48325 → https(443) Len=46 |
To filter for a certain time frame in Wireshark, use this filter.
(frame.time >= "Oct 2, 2023 10:51:50") && (frame.time <= "Oct 2, 2023 10:51:51") |
This will list all packets within a 1-minute time frame.