Description
Documentation says that -H, (which implies -Wn) writes data to pcapng files. With a local hosts file, when I try
bash$ ping 8.8.8.8 & bash$ tshark -c 10 -f icmp -w temp.pcapng bash$ tshark -r temp.pcapng -H hosts -w temp2.pcapng
I see normal traffic with no modifications to display of IP address. Local hosts file looks something like this:
127.0.0.1 localhost 192.168.0.1 this_computer 8.8.8.8 google_dns
I can see that a pcapng Name Resolution Block exists with xxd:
bash$ xxd temp2.pcapng | grep this -B 5 -A 5 00000620: d0fb 763a 3757 76df 4c5d 0000 0000 f362 ..v:7Wv.L].....b 00000630: 0c00 0000 0000 1011 1213 1415 1617 1819 ................ 00000640: 1a1b 1c1d 1e1f 2021 2223 2425 2627 2829 ...... !"#$%&'() 00000650: 2a2b 2c2d 2e2f 3031 3233 3435 3637 0000 *+,-./01234567.. 00000660: 8400 0000 0400 0000 3c00 0000 0100 1200 ........<....... 00000670: c0a8 01f6 7468 6973 5f63 6f6d 7075 7465 ....this_compute 00000680: 7200 0000 0100 0f00 0808 0808 676f 6f67 r...........goog 00000690: 6c65 5f64 6e73 0000 0000 0000 3c00 0000 le_dns......<...
Question
When I use tshark -r temp2.pcapng -NNn
I see IP to name mappings (names I see are mbp.attlocal.net
and dns.google
). Using both Wireshark and tshark -r temp2.pcapng -Nd
, I do not see "this_computer" or "google_dns" in place of IP addresses. How can I see the data stored in the Name Resolution Block with tshark?