0

I wrote a test program to capture packets for a given domain name. I was using gethostbyname() to retrieve ip address and pcap to capture packets destined for that ip address. The pcap_loop() count was set to -1 so it is supposed to keep capturing.

Theoretically, all packets that send from my pc to that ip address would be captured, regardless of if that domain name is visited by web browser or just by pinging it, right?

After testing, although this is true for many websites, it is not applicable for high-traffic sites like google or ebay. Meaning if I ping the ip address retrieved from the gethostbyname(), the ping packets will be captured by the program, but if I visit google.com on firefox, no packets is captured. That shows there might be a different ip address for the same domain name like google.com.

If that is the case, why the DNS server returns different ips for google.com while others are identical? And what is the different, if there's any, between requests from gethostbyname() and those from web browser?

Thanks in advance.

AuA
  • 481
  • 1
  • 5
  • 11
  • Are you capturing traffic for **all** of the IP addresses returned by `gethostbyname()` or just the first one? – Celada Jun 03 '13 at 22:02
  • Isn't that gethostbyname() only returns one ip address in the struct hostent? – AuA Jun 04 '13 at 02:01
  • No, it returns an array of them. By the way, you should consider using `getaddrinfo()` instead of `gethosybyname()`. `gethostbyname()` is deprecated and obsolete. – Celada Jun 04 '13 at 14:06

1 Answers1

1

In case the given domain name resolves to more than one IP address, you need to make sure your capture filter is set up to capture for all of them, because you never know which one the web browser is going to select. If you only filter for (say) the first one returned, there is only a 1 in n chance that you will pick the same one as the web browser does (where n is the number of addresses).

By the way, you should consider using getaddrinfo() instead of gethosybyname(). gethostbyname() is deprecated and obsolete. Most importantly, it is unable to return IPv6 addresses.

gethostbyname() returns the list of resolved IP addresses as an array... but only the IPv4 ones.

getddrinfo() returns the list of resolved IP addresses as a linked list.

Celada
  • 21,627
  • 4
  • 64
  • 78
  • I think gethostbyname returns both IPv4 & IPv6. Look at showip.c here: http://www.beej.us/guide/bgnet/output/html/singlepage/bgnet.html#getaddrinfo Works for me. – JohnMudd Jun 03 '16 at 13:55
  • 1
    @JohnMudd: no, the example you quoted uses `getaddrinfo()` in fact. The page even says "In particular, **gethostbyname()** doesn't work well with IPv6.". `getaddrinfo()` is definitely the thing to use. – Celada Jun 03 '16 at 19:49
  • Thanks, my mistake. – JohnMudd Jun 06 '16 at 13:26