 | 1 | initial version |
"Or is there a better way to do manipulations in the hosts file?"
The User's Guide has a section on Name Resolution and the hosts Configuration File
"Is there a kind of cache within Wireshark for hostnames?"
Yes, if the capture file is stored as a pcapng file. This data is stored in a Name Resolution Block (NRB) within the pcapng file.
@cmaynard mentioned open issue 11470 where comments can be added about the name resolution process.
At this time, if a capture file has a NRB it wins when the file is opened.
The NRB can be removed from a file with tshark:
$ capinfos -n 201214_local_name_resolution.pcapng
File name: 201214_local_name_resolution.pcapng
Number of resolved IPv4 addresses in file: 20
$ tshark -r 201214_local_name_resolution.pcapng -F pcapng -w 201214_no_nrb.pcapng
$ capinfos -n 201214*
File name: 201214_local_name_resolution.pcapng
Number of resolved IPv4 addresses in file: 20
File name: 201214_no_nrb.pcapng
Or if using a hosts file in the search path as described in the User's Guide Configuration File, ask Wireshark to redo name resolution.
Edit -> Preferences... -> Name Resolution - uncheck Resolve network (IP) addresses then OKEdit -> Preferences... -> Name Resolution - check Resolve network (IP) addresses then OK
The hover text for "Resolve network (IP) addresses":
"Resolve IPv4, IPv6, and IPX addresses into host names."
" The next set of check boxes determines how name resolution should be performed."
" If no other options are checked name resolution is made from Wireshark's host file"
" and capture file name resolution blocks."<br>
but Use an external network name resolver must be checked also. Will link issue 11470 back to this question.
Note: Reloading the capture file resets the name resolution to information in the NRB.
To see the contents of the NRB, View -> Reload as File Format/Capture
| | 2 | No.2 Revision |
"Or is there a better way to do manipulations in the hosts file?"
The User's Guide has a section on Name Resolution and the hosts Configuration File
"Is there a kind of cache within Wireshark for hostnames?"
Yes, if the capture file is stored as a pcapng file. This data is stored in a Name Resolution Block (NRB) within the pcapng file.
@cmaynard mentioned open issue 11470 where comments can be added about the name resolution process.
At this time, if a capture file has a NRB it wins when the file is opened.
The NRB can be removed from a file with tshark:
$ capinfos -n 201214_local_name_resolution.pcapng
File name: 201214_local_name_resolution.pcapng
Number of resolved IPv4 addresses in file: 20
$ tshark -r 201214_local_name_resolution.pcapng -F pcapng -w 201214_no_nrb.pcapng
$ capinfos -n 201214*
File name: 201214_local_name_resolution.pcapng
Number of resolved IPv4 addresses in file: 20
File name: 201214_no_nrb.pcapng
Or if using a hosts file in the search path as described in the User's Guide Configuration File, ask Wireshark to redo name resolution.
Edit -> Preferences... -> Name Resolution - uncheck Resolve network (IP) addresses then OKEdit -> Preferences... -> Name Resolution - check Resolve network (IP) addresses then OK
The hover text for "Resolve network (IP) addresses":
"Resolve IPv4, IPv6, and IPX addresses into host names."
" The next set of check boxes determines how name resolution should be performed."
" If no other options are checked name resolution is made from Wireshark's host file"
" and capture file name resolution blocks."<br>
but Use an external network name resolver must be checked also. Will link issue 11470 back to this question.
Note: Reloading the capture file resets the name resolution to information in the NRB.
To see the contents of the NRB, View -> Reload as File Format/Capture
| | 3 | No.3 Revision |
"Or is there a better way to do manipulations in the hosts file?"
The User's Guide has a section on Name Resolution and the hosts Configuration File
"Is there a kind of cache within Wireshark for hostnames?"
Yes, if the capture file is stored as a pcapng file. This data is stored in a Name Resolution Block (NRB) within the pcapng file.
@cmaynard mentioned open issue 11470 where comments can be added about the name resolution process.
At this time, if a capture file has a NRB it wins when the file is opened.
The NRB can be removed from a file with tshark:
$ capinfos -n 201214_local_name_resolution.pcapng
File name: 201214_local_name_resolution.pcapng
Number of resolved IPv4 addresses in file: 20
$ tshark -r 201214_local_name_resolution.pcapng -F pcapng -w 201214_no_nrb.pcapng
$ capinfos -n 201214*
File name: 201214_local_name_resolution.pcapng
Number of resolved IPv4 addresses in file: 20
File name: 201214_no_nrb.pcapng
Or if using a hosts file in the search path as described in the User's Guide Configuration File, ask Wireshark to redo name resolution.
Edit -> Preferences... -> Name Resolution - uncheck Resolve network (IP) addresses then OKEdit -> Preferences... -> Name Resolution - check Resolve network (IP) addresses then OK
The hover text for "Resolve network (IP) addresses":
"Resolve IPv4, IPv6, and IPX addresses into host names."
" The next set of check boxes determines how name resolution should be performed."
" If no other options are checked name resolution is made from Wireshark's host file"
" and capture file name resolution blocks."<br>
but Use an external network name resolver must be checked also. Will link issue 11470 back to this question.
Note: Reloading the capture file resets the name resolution to information in the NRB.
To see the contents of the NRB, View -> Reload as File Format/Capture
Edit 201215: update link to NRB
Copyright Wireshark Foundation, 2017-2023 Content on this site is licensed under a Creative Commons Attribution Share Alike 3.0 license.