First time here? Check out the FAQ!
THIS IS A TEST INSTANCE. Feel free to ask and answer questions, but take care to avoid triggering too many notifications.
Ask Your Question
0

Cannot resolve hostname when using tshark

I have a wireshark pcapng file with some network scan results. I want to the following fields: source ip, destination ip, source hostname, destination hostname and protocol.

When I open the file with Wireshark, I can get the hostnames by going to Edit->Preferences->Name Resolution-> Resolve Network IP addresses. Then I can export results as csv.

However, I want to write code to do that because I will need to export results from hundreds of files. I'm using pyshark/tshark to get the results.

I specify -Nn in parameters so that name resolution is enabled in the underlying tshark command. (see documentation: https://tshark.dev/packetcraft/add_co...)

However, when I get the results this way, the hostname is the same as IP address, instead of example.com.

Everything works fine when I export data manually from wireshark, but it doesn't when I try to do this with code. I am 100% sure that I pull correct fields from the packet data (ip.src_host field in this case).

Did anyone experience similar issue?

abrk's avatar
3
abrk
asked 2023-11-13 13:24:40 +0000
edit flag offensive 0 remove flag close merge delete

Comments

What version are you using? There was a bug about that, filed against Wireshark 2.6.0; the fix was also backported to the 2.6.x branch, so I suspect it shouldn't appear in 2.6.1 or any later release. Are you using a 2.6.x release, or a later release?

Guy Harris's avatar Guy Harris (2023-11-13 20:24:58 +0000) edit
more
  • delete

I'm using version 4.0.10

abrk's avatar abrk (2023-11-14 09:39:51 +0000) edit
more
  • delete
add a comment see more comments

2 Answers

0

Try using-NNn instead. This more closely matches the Wireshark settings.

Jaap's avatar
13.7k
Jaap
answered 2023-11-13 13:37:05 +0000
edit flag offensive 0 remove flag delete link
more

Comments

It doesn't work, no change in results unfortunately :/

abrk's avatar abrk (2023-11-13 16:23:02 +0000) edit
more
  • delete

Clutching at straws, use -2 to enable 2 pass mode. This would help if the DNS resolution occurs after the packet has been processed.

grahamb's avatar grahamb (2023-11-13 16:29:22 +0000) edit
more
  • delete

-2 doesn't work either

abrk's avatar abrk (2023-11-14 09:43:47 +0000) edit
more
  • delete
add a comment see more comments
0

So the question is: "why is the output of TShark different from Wireshark?"

There are a few possibilities. One that is most overlooked is that TShark uses the "Default" profile, unless you provide a configuration profile with the -C option. So when the profile used in Wireshark is different, the output can also be different.
An other way is to provide the settings you rely on, on the command line, for example -o nameres.network_name:TRUE or -NdNn.

The environment used to run Wireshark can also be different from TShark. Can you confirm that DNS resolving is working from the command line where TShark is used? Are commands like nslookup or dig working from this command line?

I needed -NNn to make it work, but with -NdNn captured DNS responses are also used. For example:

tshark -r file.pcapng -NdNn -T fields -e _ws.col.def_src -e _ws.col.def_dst -e ip.src -e ip.src_host -e ipv6.src_host -e ipv6.dst_host ...
André's avatar
176
André
answered 2023-11-16 19:06:08 +0000
edit flag offensive 0 remove flag delete link
more

Comments

-NnNd worked like a charm, Thank you so much!

abrk's avatar abrk (2023-11-17 11:00:00 +0000) edit
more
  • delete
add a comment see more comments

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account. This space is reserved only for answers. If you would like to engage in a discussion, please instead post a comment under the question or an answer that you would like to discuss.

Add Answer