Ask Your Question

Revision history [back]

click to hide/show revision 1
initial version

As I understand, the hosts file only works for capturing traffic from the computer where the hosts file is located.


First, host name resolution happens when a packet is dissected, not when it's captured, and a capture may be done on one machine and the file read by Wireshark or TShark on a completely different machine, so there's no guarantee that the name resolution will be done on the machine on which the capture is done.

Second, the hosts file is not the system hosts file on the machine on which you're running Wireshark or TShark. There can be two hosts files, the contents of which are combined - a "global" hosts file for Wireshark, installed in the "data file directory" for Wireshark (on macOS, that directory is in the Wireshark application bundle; on Windows, it's in the directory containing the Wireshark executable; on UN*Xes other than macOS, it's probably a directory under /usr or /usr/local - it's not, for example, /etc on UN*Xes), and a "personal" hosts file, stored in the Wireshark preferences directory or in a profile directory under that directory. Current versions of Wireshark/TShark don't use the system host file to do any name resolution, it just uses DNS, name entries stored in pcapng files, and its own host files.

So it will use whatever host file you supply, as per cmaynard's answer, and that will be used for all captures, regardless of what machine the capture was performed on.