Name Resolution
Name resolution replaces raw addresses with human-readable names throughout
Packet Viewer. Instead of seeing 192.168.1.100, you’ll see a name like
desktop.local.
Resolved names appear anywhere Packet Viewer shows a source or destination address, including the Packet List, Decode Tree, Ladder Diagram, and other views.
Configuration
Name resolution settings are stored in the preferences file within a profile
directory. All Wireshark documentation about name resolution applies
to Packet Viewer.
Network Name Resolution Methods
Network name resolution converts IP addresses to names. Enable this feature
by setting nameres.network_name: TRUE in your profile preferences.
PCAP-ng Name Resolution Blocks
Name Resolution Blocks (NRBs) are embedded directly in PCAP-ng files and contain the IP-to-name mappings that were active when the capture was taken. Names travel with the capture file, reflect actual network state at capture time, require no configuration, and work offline.
To check if a file contains NRBs, use capinfos from Wireshark.
Hosts Files
Hosts files provide static IP-to-name mappings using the format: IP address, whitespace, hostname, one mapping per line.
192.168.1.1 router
192.168.1.10 webserver
10.0.0.5 database
Packet Viewer checks two locations for hosts files:
Profile-specific: hosts file in your profile directory (alongside your
preferences file). Use for project-specific names, temporary mappings, or
overriding system-wide names. Checked first, so mappings here take
precedence.
System-wide: /usr/cloudshark/share/wireshark/hosts in the container.
Use for organization-wide standards and shared infrastructure names. Checked
second, this file provides fallback for IPs not in the profile directory.
Both files are used together. If the same IP appears in both locations, the profile file mapping is used.
DNS Packets in the Capture
Enable nameres.dns_pkt_addr_resolution: TRUE to extract name mappings
directly from DNS traffic found in the capture. Wireshark scans for DNS query
and response packets and uses those mappings throughout the analysis. This
method only works for DNS lookups that were captured in the same PCAP file as
the traffic being analyzed. If the DNS query happened before the capture
started or on a different network segment that wasn’t captured, those names
will not be available.
External DNS Resolution
External DNS resolution generates live DNS queries for every IP address in your capture file. In production deployments with multiple users or automated workflows, this can generate significant DNS traffic that may impact DNS infrastructure, trigger rate limiting, or cause security monitoring alerts. It is NOT recommended.
Two options enable external DNS resolution:
System Name Resolver: uses the system’s default name resolution.
nameres.use_external_name_resolver: TRUE
Custom DNS Servers: allows the user to configure a list of specific DNS servers to make requests to independent of the underlying system’s settings.
nameres.use_custom_dns_servers: TRUE
Indicate the specific DNS servers in an addr_resolve_dns_servers file within
your profile directory. Each line specifies a DNS server using the format:
"<DNS_server>","<TCP_port>","<UDP_port>"
Example addr_resolve_dns_servers file:
"8.8.8.8","0","53"
"8.8.4.4","0","53"
"1.1.1.1","0","53"
The TCP and UDP port values are typically "0" and "53" respectively, where
"0" indicates TCP is not used.
Concurrent requests
The nameres.name_resolve_concurrency setting (default: 500) controls the
maximum number of concurrent DNS queries. Lowering this value reduces
instantaneous load but increases overall resolution time.
Why we don’t recommend external resolvers
External resolution queries real DNS servers for each unique IP address found in the capture. With hundreds or thousands of unique IPs per capture, this generates substantial DNS traffic. Concurrent users multiply this load proportionally.
Additionally, resolution happens asynchronously and on-demand as packets are processed. This creates inconsistent output where the same IP address may appear resolved in some locations and unresolved in others until all packets have been processed. Packet Viewer automatically closes idle sharkd instances after a timeout to conserve resources, which clears all resolved names and requires re-resolution.
External DNS resolution also returns current DNS mappings rather than the mappings that were active when the capture was taken, which may not accurately reflect the network state at the time of capture.
If external DNS resolution is required, use it only in development or testing environments with small captures and explicit understanding of the consequences.
Other Resolution Types
MAC Address Resolution
MAC address resolution is enabled by default and shows manufacturer names instead of raw MAC addresses.
nameres.mac_name: TRUE
Example: VMware_ab:cd:ef instead of 00:50:56:ab:cd:ef.
Transport Name Resolution
Transport name resolution replaces port numbers with service names.
nameres.transport_name: FALSE
Example: ssh instead of 22. This can obscure non-standard port
assignments and is disabled by default.
VLAN Name Resolution
VLAN name resolution maps VLAN IDs to names.
nameres.vlan_name: FALSE
Create a vlans file in your profile directory with the format:
VLAN_ID<Tab>Name
1 Management
10 Servers
100 Guest
SS7 Point Code Resolution
SS7 Point Code resolution maps SS7 Point Codes to node names.
nameres.ss7_pc_name: FALSE
Create an ss7pcs file in your profile directory with the format:
Network_Indicator-PC_Decimal<Tab>Name
2-1234 Gateway1
3-5678 MSC_North
This is used primarily for telecom engineering with SS7/SIGTRAN traffic.
Configuration Reference
| Setting | Default | Description |
|---|---|---|
nameres.network_name |
FALSE | Enable IP address resolution |
nameres.dns_pkt_addr_resolution |
FALSE | Extract names from DNS packets in capture |
nameres.use_external_name_resolver |
FALSE | Query system DNS (see warning above) |
nameres.use_custom_dns_servers |
FALSE | Use specific DNS servers (see warning) |
nameres.name_resolve_concurrency |
500 | Maximum concurrent DNS queries |
nameres.mac_name |
TRUE | Resolve MAC addresses to manufacturers |
nameres.transport_name |
FALSE | Show service names instead of port numbers |
nameres.vlan_name |
FALSE | Resolve VLAN IDs to names |
nameres.ss7_pc_name |
FALSE | Resolve SS7 Point Codes to names |
Recommended Configuration
For most deployments, the following configuration provides reliable name resolution without impacting infrastructure:
nameres.network_name: TRUE
nameres.dns_pkt_addr_resolution: TRUE
nameres.mac_name: TRUE
nameres.use_external_name_resolver: FALSE
nameres.use_custom_dns_servers: FALSE
Maintain a system-wide hosts file at /usr/cloudshark/share/wireshark/hosts
for organization-wide names. Use profile-specific hosts files for
project-specific or temporary overrides. Enable DNS packet resolution to
supplement hosts files with names extracted from captured DNS traffic.
PCAP-ng files with embedded Name Resolution Blocks provide the most accurate and portable name resolution as the names are embedded in the capture file itself.
