First time here? Check out the FAQ!
THIS IS A TEST INSTANCE. Feel free to ask and answer questions, but take care to avoid triggering too many notifications.
Ask Your Question
0

How does tshark read files with dns entries saved with -H?

Description

Documentation says that -H, (which implies -Wn) writes data to pcapng files. With a local hosts file, when I try 

bash$ ping 8.8.8.8 &
bash$ tshark -c 10 -f icmp -w temp.pcapng 
bash$ tshark -r temp.pcapng -H hosts -w temp2.pcapng

I see normal traffic with no modifications to display of IP address. Local hosts file looks something like this:

127.0.0.1      localhost
192.168.0.1    this_computer
8.8.8.8        google_dns

I can see that a pcapng Name Resolution Block exists with xxd:

bash$ xxd temp2.pcapng | grep this -B 5 -A 5
00000620: d0fb 763a 3757 76df 4c5d 0000 0000 f362  ..v:7Wv.L].....b
00000630: 0c00 0000 0000 1011 1213 1415 1617 1819  ................
00000640: 1a1b 1c1d 1e1f 2021 2223 2425 2627 2829  ...... !"#$%&'()
00000650: 2a2b 2c2d 2e2f 3031 3233 3435 3637 0000  *+,-./01234567..
00000660: 8400 0000 0400 0000 3c00 0000 0100 1200  ........<.......
00000670: c0a8 01f6 7468 6973 5f63 6f6d 7075 7465  ....this_compute
00000680: 7200 0000 0100 0f00 0808 0808 676f 6f67  r...........goog
00000690: 6c65 5f64 6e73 0000 0000 0000 3c00 0000  le_dns......<...

Question

When I use tshark -r temp2.pcapng -NNn I see IP to name mappings (names I see are mbp.attlocal.net and dns.google). Using both Wireshark and tshark -r temp2.pcapng -Nd, I do not see "this_computer" or "google_dns" in place of IP addresses. How can I see the data stored in the Name Resolution Block with tshark?

Ross Jacobs's avatar
71
Ross Jacobs
asked 2019-08-09 03:33:06 +0000
edit flag offensive 0 remove flag close merge delete

Comments

Wireshark can switch between "Capture" and "File Format" modes using the menu item View -> "Reload as File Format/Capture" or the appropriate hot keys.

The "File Format" mode shows the blocks in a pcapng file, and can handle other file types as well.

I'm not aware of any method to allow tshark to produce "File Format" output.

grahamb's avatar grahamb (2019-08-09 09:19:54 +0000) edit
more
  • delete

Cheers Graham. I wasn't aware of the "Reload as File Format/Capture" option. While this is useful information, my question is how do I see it displayed in src/dst address instead of IP (see pictures below)?

This is the relevant file: https://dl.dropboxusercontent.com/s/5.... When I open it with Wireshark, I see the this_computer and google_dns alternating in the source/dest address columns, but in tshark, I only see their IP addresses.

Pictures

Wireshark: https://dl.dropboxusercontent.com/s/q... tshark: https://dl.dropboxusercontent.com/s/z...

Ross Jacobs's avatar Ross Jacobs (2019-08-09 09:54:02 +0000) edit
more
  • delete
add a comment see more comments

1 Answer

2

Sorry for mis-reading your question, I now see it's querying the discrepancy between Wireshark and tshark representations.

Are you adding -2 to tshark to enable 2-pass processing? The output might depend on where the dns block is being stored in the pcapng.

grahamb's avatar
23.8k
grahamb
answered 2019-08-09 10:11:34 +0000
edit flag offensive 0 remove flag delete link
more

Comments

In a small test I found the name resolution block was added to the end of the pcapng file, and adding -2 to the tshark command line then used that block to display the names in it.

grahamb's avatar grahamb (2019-08-09 13:17:22 +0000) edit
more
  • delete

What a genius! Thanks for your help Graham.

Ross Jacobs's avatar Ross Jacobs (2019-08-09 17:55:13 +0000) edit
more
  • delete
add a comment see more comments

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account. This space is reserved only for answers. If you would like to engage in a discussion, please instead post a comment under the question or an answer that you would like to discuss.

Add Answer