tcpdump: how does tcpdump get the hostname details?

Question

Ι am using the below filter to capture all outgoing HTTPS traffic.

tcpdump "port 443 and src host 192.168.0.4"

13:43:54.343747 IP 192.168.0.4.39358 > stackoverflow.com.https: Flags [R], seq 1287671898, win 0, length 0 13:43:54.343843 IP 192.168.0.4.39358 > stackoverflow.com.https: Flags [R], seq 1287671899, win 0, length 0 13:43:54.343887 IP 192.168.0.4.39358 > stackoverflow.com.https: Flags [R], seq 1287671898, win 0, length 0 13:43:54.343931 IP 192.168.0.4.39358 > stackoverflow.com.https: Flags [R], seq 1287671898, win 0, length 0

How is tcpdump getting the hostname(stackoverflow.com.https) details,if it only sniffs into the tcp layer??

David Hoelzer David Hoelzer · Accepted Answer · 2018-06-16T12:13:42

If you run tcpdump without specifying the -n option, it will perform a reverse DNS lookup for every IP address within the capture file as it displays those packets.

Generally, when using this tool for analysis, it is preferred to specify the -n option, which will dramatically increase the overall performance of the tool since it will no longer be generating lots of DNS lookups.

tcpdump: how does tcpdump get the hostname details?

1 Answers