If you are reviewing an asset or an event and the asset has no hostname similar to the event below then read on:
How sensor gets the hostname
To understand why you may not see a Hostname associated with an asset you need to understand how the sensor finds the hostname associated with the asset.
Here is the process (in order) the sensor uses to associate hostnames with IP addresses:
- If the sensor sees a DNS query it caches it for the TTL (usually a minimum of 5 minutes). If an event comes in, the sensor looks up the IP address in this local DNS host cache and if its finds the IP address it returns its hostname and MAC address.
- If the sensor does not find the IP address in #1 it does a direct NetBIOS query (Example: c:>nbtstat – A 10.20.1.29)
- If the sensor does not find the IP address in #1 or #2 it does a query to its mDNS cache (more here) to see if it can resolve the name.
- Direct DNS resolution (this uses the local DNS to lookup IPs), however the local DNS needs to be configured to return hostnames for PTR lookups.
What causes the sensor NOT to be able to resolve an IP address to a hostname?
If the sensor:
then it will note find the name…
Why? There are a million reasons but the answer will all come down to another question from a good network architecture than understands how we get hostnames (process above) --‘can you explain your network architecture’.
Solution if you are not seeing Hostnames
If you are not seeing hostnames and you don’t have enough to go on in regards to your network architecture, then you can:
- Usually point the SYSLOG of your DHCP or DNS Server to the NetWatcher sensor to gain visibility to the hostnames.
- Manually edit the asset a name the asset
- Install the NetWatcher Cloud Endpoint on your assets.