Network data is transported via various alphanumeric addressing systems that are often too long or complicated to remember, such as the physical hardware address 00:16:CE:6E:8B:24. Name resolution (also called name lookup) is the process a protocol uses to convert one identifying address into another. For example, while a computer might have the physical MAC address 00:16:CE:6E:8B:24, the DNS and ARP protocols allow us to see its name as Marketing-2.domain.com. By associating easy-to-read names with these cryptic addresses, we make them easier to remember and identify.
Enabling Name Resolution
Switch to view page in ribbon section. As shown in Figure 5-8, two types of name resolution are available in Unicorn:
Figure 5-8: Enabling name resolution in view page
MAC name resolution This type of name resolution uses the ARP protocol to attempt to convert layer 2 MAC addresses, such as 00:09:5B:01:02:03, into layer 3 addresses, such as 10.100.12.1. If attempts at these conversions fail, Unicorn will use the ethers file in its program directory to attempt conversion. Unicorn’s last resort is to convert the first 3 bytes of the MAC address into the device’s IEEE specified manufacturer name, such as Netgear_01:02:03.
Network name resolution This type of name resolution attempts to convert a layer 3 address, such as the IP address 192.168.1.50, into an easy-to-read DNS name such as MarketingPC1.domain.com.
You can leverage the various name resolution tools to make your capture files more readable and to save a lot of time in certain situations. For example, you can use DNS name resolution to help readily identify the name of a computer you are trying to pinpoint as the source of a particular packet.
Potential Drawbacks to Name Resolution
Given its benefits, using name resolution may seem like a no-brainer, but there are some potential drawbacks, including the following:
1. Name resolution can fail, typically because the name is unknown by the name server the query was sent to.
2. Name resolution must take place every time you open a specific capture file because this information is not saved in the file. This means that if the servers that a file’s name resolution depends on are not available, name resolution will fail.