IP address retrieved by gethostbyname() differs from browser connected to

Question

I wrote a test program to capture packets for a given domain name. I was using gethostbyname() to retrieve ip address and pcap to capture packets destined for that ip address. The pcap_loop() count was set to -1 so it is supposed to keep capturing.

Theoretically, all packets that send from my pc to that ip address would be captured, regardless of if that domain name is visited by web browser or just by pinging it, right?

After testing, although this is true for many websites, it is not applicable for high-traffic sites like google or ebay. Meaning if I ping the ip address retrieved from the gethostbyname(), the ping packets will be captured by the program, but if I visit google.com on firefox, no packets is captured. That shows there might be a different ip address for the same domain name like google.com.

If that is the case, why the DNS server returns different ips for google.com while others are identical? And what is the different, if there's any, between requests from gethostbyname() and those from web browser?

Thanks in advance.

Answer 1

In case the given domain name resolves to more than one IP address, you need to make sure your capture filter is set up to capture for all of them, because you never know which one the web browser is going to select. If you only filter for (say) the first one returned, there is only a 1 in n chance that you will pick the same one as the web browser does (where n is the number of addresses).

By the way, you should consider using getaddrinfo() instead of gethosybyname(). gethostbyname() is deprecated and obsolete. Most importantly, it is unable to return IPv6 addresses.

gethostbyname() returns the list of resolved IP addresses as an array... but only the IPv4 ones.

getddrinfo() returns the list of resolved IP addresses as a linked list.