In my day to day work, I ask AI questions as if I’m turning to a trusted colleague to give me guidance. We all do. It’s how we work faster, smarter.
I generally bounce around between three AI agents:
- Bing’s Co-pilot
- Google’s Gemini
- White Rabbit NEO – an ollama trained large language model created by Meta and released to the public.
So the question I asked myself was, “Is one of these AI offerings better than the other when it comes to cybersecurity?” I thought I’d begin answering that question by giving the three agents the same question to answer. I’ve always wondered something about Wireshark, so I thought I’d compare answers.
Prompt
“Why are ip addresses displayed in reverse order in Wireshark’s ‘info’ column?”
This is an example from wireshark that illustrates why I’m asking the question:
Specifically, what was in the Info column:
Note that the Info column contains “247.1.168.192.in-addr-.arpa.” This IP address is in reverse order. It’s actually 192.168.1.247.
Here are the responses from each of the AI offerings.
Co-Pilot’s Response
In Wireshark's "Info" column, you might notice that IP addresses are displayed in reverse order. Let's explore the reasons behind this behavior:
- Address Resolution:
- Wireshark aims to provide meaningful information about network packets. When it encounters an IP address, it tries to resolve it to a hostname (if possible).
- If the IP address corresponds to a known host (e.g., obtained from DNS answers in the capture file), Wireshark displays the associated hostname alongside the IP address.
- However, if the hostname is unknown, users can manually populate it based on a reverse DNS lookup.
- Highest Layer Addresses:
- Wireshark displays the two highest layer address pairs it can find in each packet.
- For example:
- If the packet contains an IP layer, Wireshark shows the IP addresses.
- If it's an ARP packet, which only has MAC addresses, those are displayed.
- Column Setup:
- The behavior depends on the column configuration in Wireshark.
- When you see an IP address, it's because Wireshark found an IP layer in the packet.
- If there's no IP layer, it will display other relevant information (such as MAC addresses).
In summary, Wireshark prioritizes displaying the most relevant address information based on the packet's content. The reverse order of IP addresses is a result of this approach, emphasizing meaningful data for network analysis. 🕵️♂️🔍
Resolved Addresses 1Gemini’s Response
Wireshark's "info" column doesn't actually display IP addresses in reverse order. There might be a misunderstanding.
Here's what's likely happening:
* By default, Wireshark shows the raw IP address (e.g., 192.168.1.1).
* It can also attempt to resolve the IP address to a hostname using a process called a "reverse DNS lookup." (This needs to be enabled in Wireshark's settings.)
* If the lookup is successful, the "info" column might display the hostname (e.g., "[invalid URL removed]") instead of the IP address.
The hostname itself might appear like it's in reverse order because it follows a hierarchical structure with the most specific part (e.g., "google") on the left and broader categories (like ".com") on the right. This is completely different from how IP addresses are written (most specific on the right).
Here are some resources that might help:
* Wireshark documentation on resolving IP addresses: [https://www.wireshark.org/docs/wsug_html_chunked/ChAdvNameResolutionSection.html](https://www.wireshark.org/docs/wsug_html_chunked/ChAdvNameResolutionSection.html)
* Understanding IP addresses and DNS: [https://techterms.com/definition/ip_address](https://techterms.com/definition/ip_address)
White Rabbit NEO’s Response
In Wireshark, the "info" column typically displays the packet details, including the source and destination IP addresses. The IP addresses are displayed in reverse order when using IPv4 addresses, which is a common convention in the packet display.
In IPv4, the first octet of an IP address represents the network portion of the address, while the last octet represents the host portion. When displaying IP addresses, the most significant octet (MSO) comes first, followed by the second-most significant octet (SMO), and so on.
However, when looking at the packet details in Wireshark, the IP addresses are often displayed in reverse order. This is because Wireshark typically displays the IP addresses in the order that they are received or transmitted, which is from the host to the network, and not from the network to the host.
Therefore, when displaying an IPv4 address in Wireshark, the order of the octets is reversed to match the actual order of the bytes in the packet. This is a common practice in network packet analysis tools to make the IP addresses more readable and understandable.
For example, if the actual IP address is 192.168.1.100, Wireshark will display it as 100.1.168.192. The first octet (100) represents the host portion, while the last octet (192) represents the network portion.
In IPv6, the addresses are displayed in their original order, without any reversal, as IPv6 addresses are more complex and have a different structure compared to IPv4.
So in summary, the IP addresses in Wireshark's "info" column are displayed in reverse order because it matches the actual order of the bytes in the packet, which is from the host to the network. This is a common convention in network packet analysis tools to make the IP addresses more readable and understandable.Analysis of Responses
Bing Co-Pilot.
Co-pilot did not answer the question, but instead gave a response that had an element of truthiness about it. Reading it, I felt like Co-Pilot was was either a teenager answering a question in school hoping he could snow the teacher with BS and therefore not reveal he didn’t know the answer, or a politician acting the same way for the same reasons.
Google Gemini
Gemini was just plain wrong when it said, “Wireshark’s “info” column doesn’t actually display IP addresses in reverse order.” I have a real world example to show that it does, at least some times.
White Rabbit NEO
White Rabbit NEO actually answered the question with a plausible explanation: Wireshark displays ip address in reverse order because it displays it in the order in which it was received.
To be fair (which is an odd thing to say because I’m talking about large language model; do I need to be ‘fair” to them?), I think the question is not a specific as it could be. After reading through the responses, I went back to Wireshark. It appears that the only time addresses appear in reverse order are in DNS conversations. So it may have been more appropriate to try another iteration with the word “sometimes” as in
“Why are ip addresses sometimes displayed in reverse order in Wireshark’s ‘info’ column?”
Stay tuned for the answer in Part 2….