You see a '?' symbol in the hostname column next to the IP
The '?' symbol means that the IPv4 address was not
'resolved' to a hostname.
usually it means that the DNS your computer communicates
with does not have PTR record indicating a hostname for the
IPv4 address. Or in some cases, the Windows or OSX
computer with that IP address does not have an
accessible NetBIOS port 137.
Here is the
process we use to obtain the hostname for the IPv4 address.
The IP address is passed to the operating system's
'resolver' which is a standard Windows Win32 function
called 'gethostbyaddr'. gethostbyaddr (resolver
function) works by first looking at your hosts file
(C:\Windows\System32\drivers\etc\hosts), then failing
that, the function sends a PTR query to each DNS in
order (as configured in your system by DHCP or static
network interface settings). If each DNS fails to return an answer the
function does a NetBIOS Name Server Node Status Request
query from port 137 of your machine to port 137 on the
target machine (via UDP). If successful, the NetBIOS
query returns the windows computer name. If
gethostbyaddr fails, we place a '?' in the hostname column.
Things to check:
- Is the IP address
to hostname PTR record in DNS? (we are not talking about
the hostname to IP address A record)
- Does the computer running the Switch Port
Mapper have the right DNS configured?
(use command line
ipconfig /all to check DNS for each interface)
- If the IP address is known NOT to be in DNS, is there a
firewall or router blocking UDP port 137 NetBIOS communications
to the Windows computer?
(Test NetBIOS this way. Use
command line nbtstat -a ipAddress to test Windows target
to try to see NetBIOS computer name)