First time here? Check out the FAQ!
THIS IS A TEST INSTANCE. Feel free to ask and answer questions, but take care to avoid triggering too many notifications.
Ask Your Question
0

How to change hosts file address mappings?

  • retag add tags

Is there a kind of cache within Wireshark for hostnames?

I use the hosts file in the "programs" directory. When I delete an address mapping in the hosts file it still shows the already deleted value when I start Wireshark again. When I change the name of the mapping, sometimes it takes the new value, but most of the times it keeps the old one.

It makes my crazy. Is there an explanation for this behaviour?

Or is there a better way to do manipulations in the hosts file?

efranz's avatar
1
efranz
asked 2020-12-14 08:40:25 +0000
edit flag offensive 0 remove flag close merge delete

Comments

Can you add the output of wireshark -v or Help->About Wireshark

Chuckc's avatar Chuckc (2020-12-14 17:28:46 +0000) edit
more
  • delete

Not sure if this is related to Issue 11470?

cmaynard's avatar cmaynard (2020-12-14 17:46:35 +0000) edit
more
  • delete 
Version 3.4.1 (v3.4.1-0-g1a27f405875f) 

Copyright 1998-2020 Gerald Combs <[email protected]> and contributors. License GPLv2+: GNU GPL version 2 or later <https: www.gnu.org="" licenses="" gpl-2.0.html=""> This is free software; see the source for copying conditions. There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. 

Compiled (64-bit) with Qt 5.15.1, with libpcap, with GLib 2.52.3, with zlib 1.2.11, with SMI 0.4.8, with c-ares 1.15.0, with Lua 5.2.4, with GnuTLS 3.6.3 and PKCS #11 support, with Gcrypt 1.8.3, with MIT Kerberos, with MaxMind DB resolver, with nghttp2 1.39.2, with brotli, with LZ4, with Zstandard, with Snappy, with libxml2 2.9.9, with QtMultimedia, with automatic updates using WinSparkle 0.5.7, with AirPcap, with SpeexDSP (using bundled resampler). 

Running on 64-bit ...
(more)
efranz's avatar efranz (2020-12-14 18:02:09 +0000) edit
more
  • delete

Are you only editing the hosts file or have you also made changes under View->Name Resolution->Edit Resolved Name ?
What is output of capinfos -n <infile> (capinfos man page)

Chuckc's avatar Chuckc (2020-12-14 19:06:21 +0000) edit
more
  • delete
add a comment see more comments

1 Answer

1

"Or is there a better way to do manipulations in the hosts file?"
The User's Guide has a section on Name Resolution and the hosts Configuration File

"Is there a kind of cache within Wireshark for hostnames?"
Yes, if the capture file is stored as a pcapng file. This data is stored in a Name Resolution Block (NRB) within the pcapng file.
@cmaynard mentioned open issue 11470 where comments can be added about the name resolution process.

At this time, if a capture file has a NRB it wins when the file is opened.
The NRB can be removed from a file with tshark:

$ capinfos -n 201214_local_name_resolution.pcapng
File name:           201214_local_name_resolution.pcapng
Number of resolved IPv4 addresses in file: 20

$ tshark -r 201214_local_name_resolution.pcapng -F pcapng -w 201214_no_nrb.pcapng

$ capinfos -n 201214*
File name:           201214_local_name_resolution.pcapng
Number of resolved IPv4 addresses in file: 20

File name:           201214_no_nrb.pcapng


Or if using a hosts file in the search path as described in the User's Guide Configuration File, ask Wireshark to redo name resolution.

  1. Open the capture file.
  2. Edit -> Preferences... -> Name Resolution - uncheck Resolve network (IP) addresses then OK

  3. Edit -> Preferences... -> Name Resolution - check Resolve network (IP) addresses then OK

    The hover text for "Resolve network (IP) addresses":

        "Resolve IPv4, IPv6, and IPX addresses into host names."
    " The next set of check boxes determines how name resolution should be performed."
    " If no other options are checked name resolution is made from Wireshark's host file"
    " and capture file name resolution blocks."<br>


    but Use an external network name resolver must be checked also. Will link issue 11470 back to this question.
    Note: Reloading the capture file resets the name resolution to information in the NRB.

    To see the contents of the NRB, View -> Reload as File Format/Capture

image description

Edit 201215: update link to NRB

Chuckc's avatar
3k
Chuckc
answered 2020-12-15 04:26:36 +0000, updated 2020-12-16 01:27:43 +0000
edit flag offensive 0 remove flag delete link
more

Comments

I have the hosts file under C:\Users\"myuser"\AppData\Roaming\Wireshark

Anders's avatar Anders (2020-12-15 14:21:42 +0000) edit
more
  • delete

Hi Chuckc,

Thank's for the elaborate answer. I now have a clear view. I did not look into the user guide. Sorry for that.

I now can interpret the experience I had (e.g. the "mysterious" mechanism when redoing name resolution).

Next time I will look into the user guide before bothering you all.

BR Franz

efranz's avatar efranz (2020-12-15 18:20:29 +0000) edit
more
  • delete
add a comment see more comments

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account. This space is reserved only for answers. If you would like to engage in a discussion, please instead post a comment under the question or an answer that you would like to discuss.

Add Answer