# Revision history [back]

"Or is there a better way to do manipulations in the hosts file?"
The User's Guide has a section on Name Resolution and the hosts Configuration File

"Is there a kind of cache within Wireshark for hostnames?"
Yes, if the capture file is stored as a pcapng file. This data is stored in a Name Resolution Block (NRB) within the pcapng file.

At this time, if a capture file has a NRB it wins when the file is opened.
The NRB can be removed from a file with tshark:

$capinfos -n 201214_local_name_resolution.pcapng File name: 201214_local_name_resolution.pcapng Number of resolved IPv4 addresses in file: 20$ tshark -r 201214_local_name_resolution.pcapng -F pcapng -w 201214_no_nrb.pcapng

$capinfos -n 201214* File name: 201214_local_name_resolution.pcapng Number of resolved IPv4 addresses in file: 20 File name: 201214_no_nrb.pcapng  Or if using a hosts file in the search path as described in the User's Guide Configuration File, ask Wireshark to redo name resolution. 1. Open the capture file. 2. Edit -> Preferences... -> Name Resolution - uncheck Resolve network (IP) addresses then OK 3. Edit -> Preferences... -> Name Resolution - check Resolve network (IP) addresses then OK The hover text for "Resolve network (IP) addresses":  "Resolve IPv4, IPv6, and IPX addresses into host names." " The next set of check boxes determines how name resolution should be performed." " If no other options are checked name resolution is made from Wireshark's host file" " and capture file name resolution blocks."<br>  but Use an external network name resolver must be checked also. Will link issue 11470 back to this question. Note: Reloading the capture file resets the name resolution to information in the NRB. To see the contents of the NRB, View -> Reload as File Format/Capture "Or is there a better way to do manipulations in the hosts file?" The User's Guide has a section on Name Resolution and the hosts Configuration File "Is there a kind of cache within Wireshark for hostnames?" Yes, if the capture file is stored as a pcapng file. This data is stored in a Name Resolution Block (NRB) within the pcapng file. @cmaynard mentioned open issue 11470 where comments can be added about the name resolution process. At this time, if a capture file has a NRB it wins when the file is opened. The NRB can be removed from a file with tshark: $ capinfos -n 201214_local_name_resolution.pcapng
File name:           201214_local_name_resolution.pcapng
Number of resolved IPv4 addresses in file: 20

$tshark -r 201214_local_name_resolution.pcapng -F pcapng -w 201214_no_nrb.pcapng$ capinfos -n 201214*
File name:           201214_local_name_resolution.pcapng
Number of resolved IPv4 addresses in file: 20

File name:           201214_no_nrb.pcapng


Or if using a hosts file in the search path as described in the User's Guide Configuration File, ask Wireshark to redo name resolution.

1. Open the capture file.
2. Edit -> Preferences... -> Name Resolution - uncheck Resolve network (IP) addresses then OK
3. Edit -> Preferences... -> Name Resolution - check Resolve network (IP) addresses then OK

The hover text for "Resolve network (IP) addresses":

    "Resolve IPv4, IPv6, and IPX addresses into host names."
" The next set of check boxes determines how name resolution should be performed."
" If no other options are checked name resolution is made from Wireshark's host file"
" and capture file name resolution blocks."<br>


but Use an external network name resolver must be checked also. Will link issue 11470 back to this question.
Note: Reloading the capture file resets the name resolution to information in the NRB.

To see the contents of the NRB, View -> Reload as File Format/Capture

"Or is there a better way to do manipulations in the hosts file?"
The User's Guide has a section on Name Resolution and the hosts Configuration File

"Is there a kind of cache within Wireshark for hostnames?"
Yes, if the capture file is stored as a pcapng file. This data is stored in a Name Resolution Block (NRB) within the pcapng file.

At this time, if a capture file has a NRB it wins when the file is opened.
The NRB can be removed from a file with tshark:

$capinfos -n 201214_local_name_resolution.pcapng File name: 201214_local_name_resolution.pcapng Number of resolved IPv4 addresses in file: 20$ tshark -r 201214_local_name_resolution.pcapng -F pcapng -w 201214_no_nrb.pcapng

\$ capinfos -n 201214*
File name:           201214_local_name_resolution.pcapng
Number of resolved IPv4 addresses in file: 20

File name:           201214_no_nrb.pcapng


Or if using a hosts file in the search path as described in the User's Guide Configuration File, ask Wireshark to redo name resolution.

1. Open the capture file.
2. Edit -> Preferences... -> Name Resolution - uncheck Resolve network (IP) addresses then OK
3. Edit -> Preferences... -> Name Resolution - check Resolve network (IP) addresses then OK

The hover text for "Resolve network (IP) addresses":

    "Resolve IPv4, IPv6, and IPX addresses into host names."
" The next set of check boxes determines how name resolution should be performed."
" If no other options are checked name resolution is made from Wireshark's host file"
" and capture file name resolution blocks."<br>


but Use an external network name resolver must be checked also. Will link issue 11470 back to this question.
Note: Reloading the capture file resets the name resolution to information in the NRB.

To see the contents of the NRB, View -> Reload as File Format/Capture

Edit 201215: update link to NRB