tcpdump output has a different hostname

Denver123 asked:

Sorry in advance for the simple question, but I’m trying to educate myself on tcpdump and networks.

I’m tracing all traffic going to a certain host with

tcpdump -SX -i any dst host host.site.com

However, in the tcpdump output I see a different domain printed out, something like
edge-123.site.com.

I pinged both URLs and they have the same IP, so that’s the traffic I was querying for.

What I would like to understand why do I get a different hostname in the output and how can I prevent that from happening? Thanks.

My answer:


You got a different hostname because tcpdump looked up the PTR record for the IP address and used that in its display.

You can turn off hostname lookups and show only IP addresses with the -n option.

You may also want to use it twice, to avoid printing protocol and port names (e.g. 25 instead of smtp).

From the man page:

       -n     Don't convert host addresses to names.   This  can  be  used  to
              avoid DNS lookups.

       -nn    Don't convert protocol and port numbers etc. to names either.

View the full question and any other answers on Server Fault.

Creative Commons License
This work is licensed under a Creative Commons Attribution-ShareAlike 3.0 Unported License.