How does tshark read files with dns entries saved with -H?

asked 2019-08-09 03:33:06 +0000

Ross Jacobs
71 ●3 ●32 ●13

Description

Documentation says that -H, (which implies -Wn) writes data to pcapng files. With a local hosts file, when I try

bash$ ping 8.8.8.8 &
bash$ tshark -c 10 -f icmp -w temp.pcapng 
bash$ tshark -r temp.pcapng -H hosts -w temp2.pcapng

I see normal traffic with no modifications to display of IP address. Local hosts file looks something like this:

127.0.0.1      localhost
192.168.0.1    this_computer
8.8.8.8        google_dns

I can see that a pcapng Name Resolution Block exists with xxd:

bash$ xxd temp2.pcapng | grep this -B 5 -A 5
00000620: d0fb 763a 3757 76df 4c5d 0000 0000 f362  ..v:7Wv.L].....b
00000630: 0c00 0000 0000 1011 1213 1415 1617 1819  ................
00000640: 1a1b 1c1d 1e1f 2021 2223 2425 2627 2829  ...... !"#$%&'()
00000650: 2a2b 2c2d 2e2f 3031 3233 3435 3637 0000  *+,-./01234567..
00000660: 8400 0000 0400 0000 3c00 0000 0100 1200  ........<.......
00000670: c0a8 01f6 7468 6973 5f63 6f6d 7075 7465  ....this_compute
00000680: 7200 0000 0100 0f00 0808 0808 676f 6f67  r...........goog
00000690: 6c65 5f64 6e73 0000 0000 0000 3c00 0000  le_dns......<...

Question

When I use tshark -r temp2.pcapng -NNn I see IP to name mappings (names I see are mbp.attlocal.net and dns.google). Using both Wireshark and tshark -r temp2.pcapng -Nd, I do not see "this_computer" or "google_dns" in place of IP addresses. How can I see the data stored in the Name Resolution Block with tshark?

edit retag flag offensive close merge delete

Comments

Wireshark can switch between "Capture" and "File Format" modes using the menu item View -> "Reload as File Format/Capture" or the appropriate hot keys.

The "File Format" mode shows the blocks in a pcapng file, and can handle other file types as well.

I'm not aware of any method to allow tshark to produce "File Format" output.

grahamb ( 2019-08-09 09:19:54 +0000 )edit

Cheers Graham. I wasn't aware of the "Reload as File Format/Capture" option. While this is useful information, my question is how do I see it displayed in src/dst address instead of IP (see pictures below)?

This is the relevant file: https://dl.dropboxusercontent.com/s/5.... When I open it with Wireshark, I see the this_computer and google_dns alternating in the source/dest address columns, but in tshark, I only see their IP addresses.

Pictures

Wireshark: https://dl.dropboxusercontent.com/s/q... tshark: https://dl.dropboxusercontent.com/s/z...

Ross Jacobs ( 2019-08-09 09:54:02 +0000 )edit

add a comment

answered 2019-08-09 10:11:34 +0000

grahamb

flag of United Kingdom of Great Britain and Northern Ireland

23790 ●4 ●951 ●227 https://www.wireshark.org

Sorry for mis-reading your question, I now see it's querying the discrepancy between Wireshark and tshark representations.

Are you adding -2 to tshark to enable 2-pass processing? The output might depend on where the dns block is being stored in the pcapng.

edit flag offensive delete link

Comments

In a small test I found the name resolution block was added to the end of the pcapng file, and adding -2 to the tshark command line then used that block to display the names in it.

grahamb ( 2019-08-09 13:17:22 +0000 )edit

What a genius! Thanks for your help Graham.

Ross Jacobs ( 2019-08-09 17:55:13 +0000 )edit

add a comment

How does tshark read files with dns entries saved with -H?

Description

Question

Comments

Pictures

1 Answer

Comments

Your Answer

Question Tools

Stats

Related questions

How does tshark read files with dns entries saved with -H? edit

Description

Question

Comments

Pictures

1 Answer

Comments

Your Answer

Question Tools

Stats

Related questions

How does tshark read files with dns entries saved with -H?