How to export resolved host addresses in 3.2.2 ?

asked 2020-02-29 14:42:42 +0000

TomLaBaude gravatar image

updated 2020-02-29 21:13:09 +0000

Guy Harris gravatar image

Statistics > Resolved Addresses now shows resolved addresses in GUI tables rather than as plain text, and copy/paste in the tables doesn't work.

Is there another way to export resolved addresses ?

In tshark I've found "-z hosts -q" but looking for a GUI way.

It would be a multi step process but the data is available in the PCAPNG Name Resolution Block.

View -> Reload as File Format/Capture
Expand PCAPNG File Format then look for the Name Resolution Block.
Right click on it then Expand Subtrees.
Right click Block Data then Copy -> All Visible Items
Paste into text editor.

Maybe someone else comes up with a prettier, simpler method.

Chuckc gravatar imageChuckc ( 2020-02-29 17:40:10 +0000 )edit

Forgot to add, "Mung as needed" once it's out of Wireshark. :-)

Chuckc gravatar imageChuckc ( 2020-02-29 17:43:02 +0000 )edit

Note that you may have to save the file first before doing View -> Reload as File Format/Capture; if, for example, you do a live capture, the file was written by dumpcap, and dumpcap (by design!) doesn't resolve host names and thus doesn't write out a Name Resolution Block. In addition, if the file isn't a pcapng file, it won't have a Name Resolution Block to see.

I.e., there really isn't a good way to do this, but there should be, so getting bug 16419 fixed is the ultimate answer.

Guy Harris gravatar imageGuy Harris ( 2020-02-29 21:56:25 +0000 )edit

answered 2020-02-29 21:11:53 +0000

Guy Harris gravatar image

There's nothing macOS-specific about this.

I tried, on Ubuntu 18.04, the 2.6.10 in the standard 18.04 Wireshark package, and Statistics > Resolved Addresses pops up a text window that can be copied and pasted.

A version I built from recent master-branch source, however, has a table, with no easy way to copy and paste or to save to a file.

You should request some mechanism to save resolved addresses by posting an enhancement request on the Wireshark Bugzilla. Note that there's "saving all resolved addresses to a file", which would produce a file not directly usable as a hosts file or an ethers file or..., and there's "saving all resolved {IP,MAC,IPX,...} addresses to a file", saving only one type of address to the file, which would produce a file of that sort but wouldn't save all addresses.

What do you mean by 'there's "saving all resolved addresses to a file", which would produce a file not directly usable as a hosts file' ?

TomLaBaude gravatar imageTomLaBaude ( 2020-02-29 21:26:11 +0000 )edit

I mean that the file would have a mixture of IP addresses (IPv4 and IPv6), of the type that appears in a hosts file, and MAC addresses, of the sort that appears in an ethers file, so any code trying to read the file as a hosts file might get confused by the MAC address entries and any code trying to read the file as an ethers file might get confused by the IP address entries.

Having a "write to file" button that saves the currently displayed entries would save such a "not a pure hosts file or a pure ethers file" file if "All entries" was chosen in the dialog, would save a hosts file if "Hosts" were selected, would save an ethers file if the misnamed "Ethernet Addresses" were selected ("misnamed" because my Mac doesn't have an Ethernet adapter unless I plug my Thunderbolt Ethernet adapter in ...(more)

Guy Harris gravatar imageGuy Harris ( 2020-02-29 21:36:09 +0000 )edit
TomLaBaude gravatar imageTomLaBaude ( 2020-02-29 21:39:17 +0000 )edit

@TomLaBaude, I've attached a Lua Tap to the bug report that you might find useful, at least until such time as Wireshark supports copying the window text.

cmaynard gravatar imagecmaynard ( 2020-03-03 05:22:08 +0000 )edit

@cmaynard Awesome, thanks, also read carefully your script ! I've added details in the bug, not sure if you're CC

TomLaBaude gravatar imageTomLaBaude ( 2020-03-04 12:01:19 +0000 )edit

