Statistics > Resolved Addresses now shows resolved addresses in GUI tables rather than as plain text, and copy/paste in the tables doesn't work.
Is there another way to export resolved addresses ?
In tshark I've found "-z hosts -q" but looking for a GUI way.
There's nothing macOS-specific about this.
I tried, on Ubuntu 18.04, the 2.6.10 in the standard 18.04 Wireshark package, and Statistics > Resolved Addresses pops up a text window that can be copied and pasted.
A version I built from recent master-branch source, however, has a table, with no easy way to copy and paste or to save to a file.
You should request some mechanism to save resolved addresses by posting an enhancement request on the Wireshark Bugzilla. Note that there's "saving all resolved addresses to a file", which would produce a file not directly usable as a hosts file or an ethers file or..., and there's "saving all resolved {IP,MAC,IPX,...} addresses to a file", saving only one type of address to the file, which would produce a file of that sort but wouldn't save all addresses.
What do you mean by 'there's "saving all resolved addresses to a file", which would produce a file not directly usable as a hosts file' ?
I mean that the file would have a mixture of IP addresses (IPv4 and IPv6), of the type that appears in a hosts file, and MAC addresses, of the sort that appears in an ethers file, so any code trying to read the file as a hosts file might get confused by the MAC address entries and any code trying to read the file as an ethers file might get confused by the IP address entries.
Having a "write to file" button that saves the currently displayed entries would save such a "not a pure hosts file or a pure ethers file" file if "All entries" was chosen in the dialog, would save a hosts file if "Hosts" were selected, would save an ethers file if the misnamed "Ethernet Addresses" were selected ("misnamed" because my Mac doesn't have an Ethernet adapter unless I plug my Thunderbolt Ethernet adapter in ...
Bug created : https://bugs.wireshark.org/bugzilla/s...
@TomLaBaude, I've attached a Lua Tap to the bug report that you might find useful, at least until such time as Wireshark supports copying the window text.
@cmaynard Awesome, thanks, also read carefully your script ! I've added details in the bug, not sure if you're CC
Comments
https://osqa-ask.wireshark.org/questi...
It would be a multi step process but the data is available in the PCAPNG Name Resolution Block.
View -> Reload as File Format/CaptureExpand
PCAPNG File Formatthen look for theName Resolution Block.Right click on it then
Expand Subtrees.Right click
Block DatathenCopy -> All Visible ItemsPaste into text editor.
Maybe someone else comes up with a prettier, simpler method.
Forgot to add, "Mung as needed" once it's out of Wireshark. :-)
Note that you may have to save the file first before doing View -> Reload as File Format/Capture; if, for example, you do a live capture, the file was written by dumpcap, and dumpcap (by design!) doesn't resolve host names and thus doesn't write out a Name Resolution Block. In addition, if the file isn't a pcapng file, it won't have a Name Resolution Block to see.
I.e., there really isn't a good way to do this, but there should be, so getting bug 16419 fixed is the ultimate answer.