Cannot resolve hostname when using tshark

asked 2023-11-13 13:24:40 +0000

abrk
3 ●1 ●2 ●3

I have a wireshark pcapng file with some network scan results. I want to the following fields: source ip, destination ip, source hostname, destination hostname and protocol.

When I open the file with Wireshark, I can get the hostnames by going to Edit->Preferences->Name Resolution-> Resolve Network IP addresses. Then I can export results as csv.

However, I want to write code to do that because I will need to export results from hundreds of files. I'm using pyshark/tshark to get the results.

I specify -Nn in parameters so that name resolution is enabled in the underlying tshark command. (see documentation: https://tshark.dev/packetcraft/add_co...)

However, when I get the results this way, the hostname is the same as IP address, instead of example.com.

Everything works fine when I export data manually from wireshark, but it doesn't when I try to do this with code. I am 100% sure that I pull correct fields from the packet data (ip.src_host field in this case).

Did anyone experience similar issue?

edit retag flag offensive close merge delete

Comments

What version are you using? There was a bug about that, filed against Wireshark 2.6.0; the fix was also backported to the 2.6.x branch, so I suspect it shouldn't appear in 2.6.1 or any later release. Are you using a 2.6.x release, or a later release?

Guy Harris ( 2023-11-13 20:24:58 +0000 )edit

I'm using version 4.0.10

abrk ( 2023-11-14 09:39:51 +0000 )edit

add a comment

2 Answers

Sort by » oldest newest most voted

answered 2023-11-16 19:06:08 +0000

André

176 ●70 ●3

So the question is: "why is the output of TShark different from Wireshark?"

There are a few possibilities. One that is most overlooked is that TShark uses the "Default" profile, unless you provide a configuration profile with the -C option. So when the profile used in Wireshark is different, the output can also be different.
An other way is to provide the settings you rely on, on the command line, for example -o nameres.network_name:TRUE or -NdNn.

The environment used to run Wireshark can also be different from TShark. Can you confirm that DNS resolving is working from the command line where TShark is used? Are commands like nslookup or dig working from this command line?

I needed -NNn to make it work, but with -NdNn captured DNS responses are also used. For example:

tshark -r file.pcapng -NdNn -T fields -e _ws.col.def_src -e _ws.col.def_dst -e ip.src -e ip.src_host -e ipv6.src_host -e ipv6.dst_host ...

edit flag offensive delete link

Comments

-NnNd worked like a charm, Thank you so much!

abrk ( 2023-11-17 11:00:00 +0000 )edit

add a comment

answered 2023-11-13 13:37:05 +0000

Jaap

13742 ●710 ●115

Try using-NNn instead. This more closely matches the Wireshark settings.

edit flag offensive delete link

Comments

It doesn't work, no change in results unfortunately :/

abrk ( 2023-11-13 16:23:02 +0000 )edit

Clutching at straws, use -2 to enable 2 pass mode. This would help if the DNS resolution occurs after the packet has been processed.

grahamb ( 2023-11-13 16:29:22 +0000 )edit

-2 doesn't work either

abrk ( 2023-11-14 09:43:47 +0000 )edit

add a comment