Ask Your Question
0

How to resolve hosts in a static way?

asked 2023-08-07 14:04:36 +0000

Hi,

So for my work I need to check different Wireshark traces from different internal networks. I would like based on a static mapping that I will do, for Wireshark to resolve my hosts as it would spare me a lot of time to see directly the hosts I am accustomed to instead of the IPs. How can I do this in Version 4.0.7?

Many thanks!

edit retag flag offensive close merge delete

Comments

"Static" meaning "not using DNS", for example, "using a file"?

Guy Harris gravatar imageGuy Harris ( 2023-08-07 14:35:04 +0000 )edit

Hi! Yes! I am not capturing traces on my computer/network. I am transferring traces to my computer that have been captured on private networks for the purpose of troubleshooting different issues. So their IPs belong to their private internal network, they are different elements(actually they are core equipments in telecom networks). These traces are captured by probes, so there are many nodes in a trace. It would help me to be able to see hostnames instead of IPs, now I have to look at a packet and then just look up that IP in a file to see what I am looking at. So I want to use this mapping file that I could create and somehow be able to see in Wireshark the hostname as well. As I understand, the hosts file only works for capturing traffic from the computer where the hosts file is located.

Alexxxa gravatar imageAlexxxa ( 2023-08-07 18:29:01 +0000 )edit

2 Answers

Sort by ยป oldest newest most voted
0

answered 2023-08-08 05:22:29 +0000

Guy Harris gravatar image

As I understand, the hosts file only works for capturing traffic from the computer where the hosts file is located.

No.

First, host name resolution happens when a packet is dissected, not when it's captured, and a capture may be done on one machine and the file read by Wireshark or TShark on a completely different machine, so there's no guarantee that the name resolution will be done on the machine on which the capture is done.

Second, the hosts file is not the system hosts file on the machine on which you're running Wireshark or TShark. There can be two hosts files, the contents of which are combined - a "global" hosts file for Wireshark, installed in the "data file directory" for Wireshark (on macOS, that directory is in the Wireshark application bundle; on Windows, it's in the directory containing the Wireshark executable; on UN*Xes other than macOS, it's probably a directory under /usr or /usr/local - it's not, for example, /etc on UN*Xes), and a "personal" hosts file, stored in the Wireshark preferences directory or in a profile directory under that directory. Current versions of Wireshark/TShark don't use the system host file to do any name resolution, it just uses DNS, name entries stored in pcapng files, and its own host files.

So it will use whatever host file you supply, as per cmaynard's answer, and that will be used for all captures, regardless of what machine the capture was performed on.

edit flag offensive delete link more
0

answered 2023-08-07 15:38:07 +0000

cmaynard gravatar image

You can make use of the Wireshark hosts file, as documented in the Wireshark man page:

Name Resolution (hosts)

If the personal hosts file exists, it is used to resolve IPv4 and IPv6 addresses before any other attempts are made to resolve them. The file has the standard hosts file syntax; each line contains one IP address and name, separated by whitespace. The same directory as for the personal preferences file is used.

Capture filter name resolution is handled by libpcap on UNIX-compatible systems and WinPcap on Windows. As such the Wireshark personal hosts file will not be consulted for capture filter name resolution.

You will also need to ensure that network name resolution is enabled in your Wireshark preferences: Edit -> Preferences -> Name Resolution -> Resolve network (IP) addresses. Note that the hosts file is a per-profile file. If you're just using the default profile, then you'd store the hosts file in your Personal configuration folder, which you can find from Help -> About Wireshark -> Folders, but if you're working within a profile other than the default profile, then you'll need to store your hosts file in the corresponding profile directory.

edit flag offensive delete link more

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Question Tools

1 follower

Stats

Asked: 2023-08-07 14:04:36 +0000

Seen: 717 times

Last updated: Aug 08 '23