Sorry in advance for the simple question, but I’m trying to educate myself on tcpdump and networks.
I’m tracing all traffic going to a certain host with
tcpdump -SX -i any dst host host.site.com
However, in the tcpdump output I see a different domain printed out, something like
I pinged both URLs and they have the same IP, so that’s the traffic I was querying for.
What I would like to understand why do I get a different hostname in the output and how can I prevent that from happening? Thanks.
You got a different hostname because tcpdump looked up the PTR record for the IP address and used that in its display.
You can turn off hostname lookups and show only IP addresses with the
You may also want to use it twice, to avoid printing protocol and port names (e.g.
25 instead of
From the man page:
-n Don't convert host addresses to names. This can be used to avoid DNS lookups. -nn Don't convert protocol and port numbers etc. to names either.
This work is licensed under a Creative Commons Attribution-ShareAlike 3.0 Unported License.