Revision history [back]

I think this feature needs work.

Currently, the only way I know to remove the name is to close the file without saving it. If you've already saved the changes to a .pcapng file, then a Name Resolution Block is added to the .pcapng file containing the address and resolved name information, so you can either re-save the .pcapng file as a .pcap file to remove the information (but you will lose all other .pcapng information too), or use a binary editor or possibly other tools to remove the entire block.

You can view the Name Resolution Block if you load the .pcapng file in Wireshark using "View -> Reload as File Format/Capture".

It's too bad that you can't clear the resolved name directly from Wireshark. When you attempt to do so by right-clicking the name in the packet details pane to choose, "Edit Resolved Name", you are not allowed to clear the name since the OK button is not active. Also, there does appear a "Name Resolution Preferences..." button; however, if you click on that, it actually just brings up the *Filter Buttons" preferences.

I'd recommend opening up Wireshark bugs for these behaviors:

• Allow manually resolved names to be cleared from Wireshark.
• The "Name Resolution Preferences..." button should bring up the relevant "Name Resolution" preferences dialog and should include a list of manually added resolved names that can be edited/cleared.
• If manually resolved names are added and the capture file is saved, the names will only be saved if the capture file is saved in a format that supports saving them. This is currently not made obvious to the user and so saving the file as a .pcap file results in a loss of information that the user may not be aware of.