tcpdump output has a different hostname

tcpdump

Sorry in advance for the simple question, but I'm trying to educate myself on tcpdump and networks.

I'm tracing all traffic going to a certain host with

tcpdump -SX -i any dst host host.site.com

However, in the tcpdump output I see a different domain printed out, something like edge-123.site.com.

I pinged both URLs and they have the same IP, so that's the traffic I was querying for.

What I would like to understand why do I get a different hostname in the output and how can I prevent that from happening? Thanks.


Solution 1:

You got a different hostname because tcpdump looked up the PTR record for the IP address and used that in its display.

You can turn off hostname lookups and show only IP addresses with the -n option.

You may also want to use it twice, to avoid printing protocol and port names (e.g. 25 instead of smtp).

From the man page:

       -n     Don't convert host addresses to names.   This  can  be  used  to
              avoid DNS lookups.

       -nn    Don't convert protocol and port numbers etc. to names either.

Related

Resizing partition with DiskPart using desired and minimum options is unsuccessful
nginx wildcard redirect suspicious symbols warnig
How to Test ipv6 DNS Resolution Performance
Why linux generates ARP broadcast for packets that match the LAN route?
NFTABLE issue: IPv6 does not behave like IPv4 with mirror config
Why can't I reach a specific host using a specific DNS?
Cannot ioctl TUNSETIFF tap0: Device or resource busy (errno=16)
How to make a Proxmox VM autostart with the qm command line tool?
How to create network in Ubuntu 20.04 from ethernet Cable
What is meant by saying "X, not to say Y"?
Works as expected vs. is working as expected
Can an image be redacted, or just text?