Ask Your Question
0

How to change hosts file address mappings?

asked 2020-12-14 08:40:25 +0000

efranz gravatar image

Is there a kind of cache within Wireshark for hostnames?

I use the hosts file in the "programs" directory. When I delete an address mapping in the hosts file it still shows the already deleted value when I start Wireshark again. When I change the name of the mapping, sometimes it takes the new value, but most of the times it keeps the old one.

It makes my crazy. Is there an explanation for this behaviour?

Or is there a better way to do manipulations in the hosts file?

edit retag flag offensive close merge delete

Comments

Can you add the output of wireshark -v or Help->About Wireshark

Chuckc gravatar imageChuckc ( 2020-12-14 17:28:46 +0000 )edit

Not sure if this is related to Issue 11470?

cmaynard gravatar imagecmaynard ( 2020-12-14 17:46:35 +0000 )edit
Version 3.4.1 (v3.4.1-0-g1a27f405875f) 

Copyright 1998-2020 Gerald Combs <[email protected]> and contributors. License GPLv2+: GNU GPL version 2 or later <https: www.gnu.org="" licenses="" gpl-2.0.html=""> This is free software; see the source for copying conditions. There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. 

Compiled (64-bit) with Qt 5.15.1, with libpcap, with GLib 2.52.3, with zlib 1.2.11, with SMI 0.4.8, with c-ares 1.15.0, with Lua 5.2.4, with GnuTLS 3.6.3 and PKCS #11 support, with Gcrypt 1.8.3, with MIT Kerberos, with MaxMind DB resolver, with nghttp2 1.39.2, with brotli, with LZ4, with Zstandard, with Snappy, with libxml2 2.9.9, with QtMultimedia, with automatic updates using WinSparkle 0.5.7, with AirPcap, with SpeexDSP (using bundled resampler). 

Running on 64-bit ...
(more)
efranz gravatar imageefranz ( 2020-12-14 18:02:09 +0000 )edit

Are you only editing the hosts file or have you also made changes under View->Name Resolution->Edit Resolved Name ?
What is output of capinfos -n <infile> (capinfos man page)

Chuckc gravatar imageChuckc ( 2020-12-14 19:06:21 +0000 )edit
add a comment

1 Answer

Sort by ยป oldest newest most voted
1

answered 2020-12-15 04:26:36 +0000

Chuckc gravatar image

updated 2020-12-16 01:27:43 +0000

"Or is there a better way to do manipulations in the hosts file?"
The User's Guide has a section on Name Resolution and the hosts Configuration File

"Is there a kind of cache within Wireshark for hostnames?"
Yes, if the capture file is stored as a pcapng file. This data is stored in a Name Resolution Block (NRB) within the pcapng file.
@cmaynard mentioned open issue 11470 where comments can be added about the name resolution process.

At this time, if a capture file has a NRB it wins when the file is opened.
The NRB can be removed from a file with tshark:

$ capinfos -n 201214_local_name_resolution.pcapng
File name:           201214_local_name_resolution.pcapng
Number of resolved IPv4 addresses in file: 20

$ tshark -r 201214_local_name_resolution.pcapng -F pcapng -w 201214_no_nrb.pcapng

$ capinfos -n 201214*
File name:           201214_local_name_resolution.pcapng
Number of resolved IPv4 addresses in file: 20

File name:           201214_no_nrb.pcapng


Or if using a hosts file in the search path as described in the User's Guide Configuration File, ask Wireshark to redo name resolution.

  1. Open the capture file.
  2. Edit -> Preferences... -> Name Resolution - uncheck Resolve network (IP) addresses then OK

  3. Edit -> Preferences... -> Name Resolution - check Resolve network (IP) addresses then OK

    The hover text for "Resolve network (IP) addresses":

        "Resolve IPv4, IPv6, and IPX addresses into host names."
    " The next set of check boxes determines how name resolution should be performed."
    " If no other options are checked name resolution is made from Wireshark's host file"
    " and capture file name resolution blocks."<br>


    but Use an external network name resolver must be checked also. Will link issue 11470 back to this question.
    Note: Reloading the capture file resets the name resolution to information in the NRB.

    To see the contents of the NRB, View -> Reload as File Format/Capture

image description

Edit 201215: update link to NRB

edit flag offensive delete link more

Comments

I have the hosts file under C:\Users\"myuser"\AppData\Roaming\Wireshark

Anders gravatar imageAnders ( 2020-12-15 14:21:42 +0000 )edit

Hi Chuckc,

Thank's for the elaborate answer. I now have a clear view. I did not look into the user guide. Sorry for that.

I now can interpret the experience I had (e.g. the "mysterious" mechanism when redoing name resolution).

Next time I will look into the user guide before bothering you all.

BR Franz

efranz gravatar imageefranz ( 2020-12-15 18:20:29 +0000 )edit
add a comment

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Question Tools

3 followers

subscribe to rss feed

Stats

Asked: 2020-12-14 08:40:25 +0000

Seen: 1,743 times

Last updated: Dec 16 '20