Ask Your Question
0

Cannot resolve hostname when using tshark

asked 2023-11-13 13:24:40 +0000

abrk gravatar image

I have a wireshark pcapng file with some network scan results. I want to the following fields: source ip, destination ip, source hostname, destination hostname and protocol.

When I open the file with Wireshark, I can get the hostnames by going to Edit->Preferences->Name Resolution-> Resolve Network IP addresses. Then I can export results as csv.

However, I want to write code to do that because I will need to export results from hundreds of files. I'm using pyshark/tshark to get the results.

I specify -Nn in parameters so that name resolution is enabled in the underlying tshark command. (see documentation: https://tshark.dev/packetcraft/add_co...)

However, when I get the results this way, the hostname is the same as IP address, instead of example.com.

Everything works fine when I export data manually from wireshark, but it doesn't when I try to do this with code. I am 100% sure that I pull correct fields from the packet data (ip.src_host field in this case).

Did anyone experience similar issue?

edit retag flag offensive close merge delete

Comments

What version are you using? There was a bug about that, filed against Wireshark 2.6.0; the fix was also backported to the 2.6.x branch, so I suspect it shouldn't appear in 2.6.1 or any later release. Are you using a 2.6.x release, or a later release?

Guy Harris gravatar imageGuy Harris ( 2023-11-13 20:24:58 +0000 )edit

I'm using version 4.0.10

abrk gravatar imageabrk ( 2023-11-14 09:39:51 +0000 )edit

2 Answers

Sort by » oldest newest most voted
0

answered 2023-11-16 19:06:08 +0000

André gravatar image

So the question is: "why is the output of TShark different from Wireshark?"

There are a few possibilities. One that is most overlooked is that TShark uses the "Default" profile, unless you provide a configuration profile with the -C option. So when the profile used in Wireshark is different, the output can also be different.
An other way is to provide the settings you rely on, on the command line, for example -o nameres.network_name:TRUE or -NdNn.

The environment used to run Wireshark can also be different from TShark. Can you confirm that DNS resolving is working from the command line where TShark is used? Are commands like nslookup or dig working from this command line?

I needed -NNn to make it work, but with -NdNn captured DNS responses are also used. For example:

tshark -r file.pcapng -NdNn -T fields -e _ws.col.def_src -e _ws.col.def_dst -e ip.src -e ip.src_host -e ipv6.src_host -e ipv6.dst_host ...
edit flag offensive delete link more

Comments

-NnNd worked like a charm, Thank you so much!

abrk gravatar imageabrk ( 2023-11-17 11:00:00 +0000 )edit
0

answered 2023-11-13 13:37:05 +0000

Jaap gravatar image

Try using-NNn instead. This more closely matches the Wireshark settings.

edit flag offensive delete link more

Comments

It doesn't work, no change in results unfortunately :/

abrk gravatar imageabrk ( 2023-11-13 16:23:02 +0000 )edit

Clutching at straws, use -2 to enable 2 pass mode. This would help if the DNS resolution occurs after the packet has been processed.

grahamb gravatar imagegrahamb ( 2023-11-13 16:29:22 +0000 )edit

-2 doesn't work either

abrk gravatar imageabrk ( 2023-11-14 09:43:47 +0000 )edit

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Question Tools

Stats

Asked: 2023-11-13 13:24:40 +0000

Seen: 538 times

Last updated: Nov 16 '23