This would be a new feature or Enhancement request. They are created on the Wireshark Gitlab Issues page. (If you open an issue please add a link back to this question.)
What's happening:
Last one in wins. This is how the global hosts file is superseded by entries in the personal hosts.
When an entry come in from DNS it updates the hash table.
What you're looking for is sort of like nsswitch.conf setting the order or precedence of checking.
I'm not sure if this would need to be another Name Resolution preference or if hosts entries always win.
The address hash table hashipv4_t (wtap.h) does have a flags field that might be used to implement this. If an entry is added in read_hosts_file(), set the flag bit so the entry is not updated by DNS.
packet-dns.c:
case T_A: /* a host Address (1) */
...
add_ipv4_name(addr_int, name);
...
case T_AAAA: /* IPv6 Address (28) */
...
add_ipv6_name(&addr_in6, name);
addr_resolv.c:
add_ipv4_name(const guint addr, const gchar *name)
...
tp = (hashipv4_t *)wmem_map_lookup(ipv4_hash_table, GUINT_TO_POINTER(addr));
if (!tp) {
tp = new_ipv4(addr);
wmem_map_insert(ipv4_hash_table, GUINT_TO_POINTER(addr), tp);
}
if (g_ascii_strcasecmp(tp->name, name)) {
(void) g_strlcpy(tp->name, name, MAXNAMELEN);
new_resolved_objects = TRUE;
}
"hosts file" - do you mean the Wireshark
hostsfile or the operating systemhostsfile?the Wireshark
hostsfile"DNS discovered A records" - does that mean records from
captured DNS packet dataor queries toexternal network name resolver?Preferences/Name-Resolution (WSUG doesn't have all Preference pages - added to Wiki)
Is your
hostsfile in the Global config folder or in the profile folder? The WSUG and man pages say that one will be read from the Personal config folder but that's incorrect.You can verify that the host file is read in properly by starting the Wireshark Gui then looking at:
Statistics -> Resolved Addressesand changeAll entriestoHosts.If the host file was read properly, the host entries will be in the table.
hostsfile in personal config folder works fine. The discovered FQDNs via DNS pkts in the pcap works as well. If IP is defined inhostsfile and also in the DNS pkts in pcap the DNS pkt discovery takes precedence overhostsfile. I want the personalhostsfile to be top priority. I can turn off usage of DNS pkts in pcap for name resolution but I do need that functionality for those IPs that are not in thehostsfile.