Ask Your Question
0

How to export resolved host addresses in 3.2.2 ?

asked 2020-02-29 14:42:42 +0000

TomLaBaude gravatar image

updated 2020-02-29 21:13:09 +0000

Guy Harris gravatar image

Statistics > Resolved Addresses now shows resolved addresses in GUI tables rather than as plain text, and copy/paste in the tables doesn't work.

Is there another way to export resolved addresses ?

In tshark I've found "-z hosts -q" but looking for a GUI way.

edit retag flag offensive close merge delete

Comments

https://osqa-ask.wireshark.org/questi...
It would be a multi step process but the data is available in the PCAPNG Name Resolution Block.

View -> Reload as File Format/Capture
Expand PCAPNG File Format then look for the Name Resolution Block.
Right click on it then Expand Subtrees.
Right click Block Data then Copy -> All Visible Items
Paste into text editor.

Maybe someone else comes up with a prettier, simpler method.

Chuckc gravatar imageChuckc ( 2020-02-29 17:40:10 +0000 )edit

Forgot to add, "Mung as needed" once it's out of Wireshark. :-)

Chuckc gravatar imageChuckc ( 2020-02-29 17:43:02 +0000 )edit

Note that you may have to save the file first before doing View -> Reload as File Format/Capture; if, for example, you do a live capture, the file was written by dumpcap, and dumpcap (by design!) doesn't resolve host names and thus doesn't write out a Name Resolution Block. In addition, if the file isn't a pcapng file, it won't have a Name Resolution Block to see.

I.e., there really isn't a good way to do this, but there should be, so getting bug 16419 fixed is the ultimate answer.

Guy Harris gravatar imageGuy Harris ( 2020-02-29 21:56:25 +0000 )edit

1 Answer

Sort by ยป oldest newest most voted
0

answered 2020-02-29 21:11:53 +0000

Guy Harris gravatar image

There's nothing macOS-specific about this.

I tried, on Ubuntu 18.04, the 2.6.10 in the standard 18.04 Wireshark package, and Statistics > Resolved Addresses pops up a text window that can be copied and pasted.

A version I built from recent master-branch source, however, has a table, with no easy way to copy and paste or to save to a file.

You should request some mechanism to save resolved addresses by posting an enhancement request on the Wireshark Bugzilla. Note that there's "saving all resolved addresses to a file", which would produce a file not directly usable as a hosts file or an ethers file or..., and there's "saving all resolved {IP,MAC,IPX,...} addresses to a file", saving only one type of address to the file, which would produce a file of that sort but wouldn't save all addresses.

edit flag offensive delete link more

Comments

What do you mean by 'there's "saving all resolved addresses to a file", which would produce a file not directly usable as a hosts file' ?

TomLaBaude gravatar imageTomLaBaude ( 2020-02-29 21:26:11 +0000 )edit

I mean that the file would have a mixture of IP addresses (IPv4 and IPv6), of the type that appears in a hosts file, and MAC addresses, of the sort that appears in an ethers file, so any code trying to read the file as a hosts file might get confused by the MAC address entries and any code trying to read the file as an ethers file might get confused by the IP address entries.

Having a "write to file" button that saves the currently displayed entries would save such a "not a pure hosts file or a pure ethers file" file if "All entries" was chosen in the dialog, would save a hosts file if "Hosts" were selected, would save an ethers file if the misnamed "Ethernet Addresses" were selected ("misnamed" because my Mac doesn't have an Ethernet adapter unless I plug my Thunderbolt Ethernet adapter in ...(more)

Guy Harris gravatar imageGuy Harris ( 2020-02-29 21:36:09 +0000 )edit
TomLaBaude gravatar imageTomLaBaude ( 2020-02-29 21:39:17 +0000 )edit

@TomLaBaude, I've attached a Lua Tap to the bug report that you might find useful, at least until such time as Wireshark supports copying the window text.

cmaynard gravatar imagecmaynard ( 2020-03-03 05:22:08 +0000 )edit

@cmaynard Awesome, thanks, also read carefully your script ! I've added details in the bug, not sure if you're CC

TomLaBaude gravatar imageTomLaBaude ( 2020-03-04 12:01:19 +0000 )edit

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Question Tools

1 follower

Stats

Asked: 2020-02-29 14:42:42 +0000

Seen: 1,556 times

Last updated: Feb 29 '20