Working with Wireshark
Retrieving the IP address of a hostname is called name resolution, and this is exactly
the task that DNS was designed for. There are several mechanisms that we can use to
interact with DNS. On Linux and Windows, we can use the nslookup command-line
tool. Run the following command:
$ nslookup http://www.ietf.org
Server: 127.0.1.1
Address: 127.0.1.1#53
Non Authoritative answer:
http://www.ietf.org canonical name = http://www.ietf.org.cdn.cloudflare-
dnssec.net.
Name: http://www.ietf.org.cdn.cloudflare-dnssec.net
Address: 104.20.1.85
Name: http://www.ietf.org.cdn.cloudflare-dnssec.net
Address: 104.20.0.85
The output indicates that http://www.ietf.org is actually hosted at two IP addresses:
104.20.1.85 and 104.20.0.85. This is becoming increasingly frequent as more
websites deploy load balancing and content delivery networks to spread the
workload across servers.
A quick glance at our captured HTTP packets list will probably allow us to see which
server we ended up connecting to. In the preceding example, it's 104.20.0.85.
However, to make sure, we can filter for both the IP addresses.
Note that nslookup may return different IP addresses than those shown in the
preceding example. Web services can change IP addresses of their servers for
various reasons.
So now, we can filter for http://www.ietf.org. Using the IP addresses you just resolved,
enter this new query in the filter box:
http and (ip.addr == 104.20.1.85 or ip.addr == 104.20.0.85)Click on the Apply button again. This query adds the extra condition that, as well as
involving the HTTP protocol, packets must have an IP source or destination address
of either 104.20.1.85 or 104.20.0.85.