NetFort Advertising

Deriving Hostname Annotation From Network Traffic

Derive Hostname Annotation from network traffic

What is Hostname Annotation?

In computer networking hostname annotation is typically referred to the way a text based name is assigned to an IP address. This makes it easier for users to remember what they need to connect to. This concept is nothing new, we use a similar approach when it comes to phone numbers. Our phone contains a database of names and their corresponding numbers and most of us just remember the name part.

A hostname may be a domain name like www.netfort.com or it could be the name assigned to your laptop. In corporate environments computer names usually follow a naming convention so when you see the hostname you will also instantly know who the computer was assigned to.

Hostnames are also very useful when it comes to network incident response. Many logs on devices such as firewalls and servers will have IP address information but then you are left with the question “what hostname does this IP address represent?” Knowing this usually speeds up the process to get to the root cause of the problem.

How to capture hostnames

Gathering a comprehensive database of hostnames requires multiple data sources. Local machine names could be gathered from DHCP logs and Internet hostnames can sometimes be gathered by doing a reverse DNS lookup.

Away from logs there is a rich data source for hostnames on all networks. If you monitor network traffic at strategic locations you can use deep packet inspection to extract the hostnames. Network traffic can be captured using a SPAN, mirror port or network TAP. Capturing hostnames this way is passive and you don’t need to enable any logging on any network device. Strategic locations to capture network traffic would include

  • Local DNS servers
  • DHCP servers
  • Internet gateways

A look at hostnames captured from network traffic

The following screenshots were taken from a LANGuardian system that I have in my lab. It uses network traffic as a data source and captures the hostname information using a series of application aware analysis engines. While you can capture hostname information manually from traffic using tools like Wireshark, LANGuardian delivers automatic hostname annotation capture which is always on.

1. DNS Traffic

In this first example we can see the output of the LANGuardian DNS lookup report. As you can see DNS traffic contains a wealth of hostname information. Click on the image to access the report in our online demo.

hostname annotation by analyzing DNS traffic

2. DHCP Requests

Hostnames are transmitted when a client (wired or wireless) requests an IP address from a DHCP server. In my example I am using LANGuardian to build an inventory of all wired and wireless devices that connect. Click on the image to access the report in our online demo.

Hostnames captured by analyzing DHCP requests

3. HTTP Headers

HTTP header fields are components of the header section of request and response messages in the Hypertext Transfer Protocol (HTTP). They define the operating parameters of an HTTP transaction. When users want to browse a website the hostname of the site can be found in the HTTP header generated by their browser. The image below shows how this information can then be used to build an Internet domain style report. Click on the image to access the report in our online demo.

Web hostnames extracted from HTTP headers

4. SSL/TLS Certificates

An SSL/TLS certificate is like a driver’s license, it serves two functions. It grants permissions to use encrypted communication via Public Key Infrastructure, and also authenticates the identity of the certificate’s holder. This identity information will contain a hostname and it is transmitted in clear text during the cert negotiation process.

The image below shows an example of this hostname annotation which LANGuardian extracted from network traffic captured at the perimeter of a network. Click on the image to access the report in our online demo.

SSL\TLS hostnames extracted from network traffic

For more information on how LANGuardian works, check out this page. You can also download a trial version of LANGuardian if you want to test how hostname annotations can be quickly captures from network traffic.