Identifying the IP endpoints

Domain names were invented to make it more easy to remember sites with common phrases. Having a list of IP addresses in the previous section would make no sense to us, but having a list that shows the resolution of the IPs into domain names can help us a lot. On clicking the Show address resolution / Resolved Addresses option, we will be presented with the following:

Well, this now makes proper sense, as we have a list of IP addresses with their domain resolutions that can help us eliminate the false positives. We saw in the previous endpoint section that the second-highest number of packets in the endpoints originated from 162.125.34.6. Since we don't have an idea of what IP address this could be, we can easily refer to the address resolutions and figure out that this is dropbox-dns.com, which looks suspicious. Let's search for it on Google using the string client.dropbox-dns.com, and browsing the first result from the search, we have the following result:

We can see from the preceding search result (the official Dropbox website, https://www.dropbox.com/) that the domain is a legitimate Dropbox domain and the traffic originating to and from it is safe (assuming that Dropbox is permitted on the network or if allowed for a select group of users that the traffic is associated with those users only). This resolution not only helps us identify domains, but also speaks a lot about the software running on the target as well. We already identified Dropbox as running on the system. We also identified the following domains from the Resolved Addresses pane in Wireshark:

• A Gmail account being accessed
• A Qihoo 360 antivirus

• An HDFC bank account
• The Grammarly plugin
• The Firefox browser