This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

How to enable the tshark name resolution while exporting to csv from an already captured pcapng file

0

Hi, How to enable the tshark name resolution while exporting to a csv from an already captured pcapng file.. When export from wireshark UI i get the resolved src/dest ip...but when i try to do from tshark the name resolution is not working...is there anything i need to do to get the resolved names in the csv ?

Thanks in advance

asked 02 Aug '12, 02:56

ArunDev's gravatar image

ArunDev
21337
accept rate: 0%


One Answer:

0

First check if network name resolving is enabled:

windows:tshark -G currentprefs | find "resolve"
unix:tshark -G currentprefs | grep "resolve"
Result: name_resolve: FALSE

FALSE: disabled
TRUE: enabled (in 1.8.1 it's not TRUE, but some other value !?!)

If it's disabled, please enable it in the preferenes (wireshark GUI).

Preferences -> Name Resolution -> Enable Network Name Resolution

Then run this command (just an example to show you how it works):

tshark -r input.cap -T fields -e ip.src -e ip.src_host -e ip.dst -e ip.dst_host -E header=y -E separator=,

ip.src and ip.dst are the unresolved IP addresses and ip.src_host/ip.dst_host are the resolved host names.

HINT: Be prepared, that the export with name resolving enabled, will take MUCH longer!

Regards
Kurt

answered 03 Aug '12, 01:38

Kurt%20Knochner's gravatar image

Kurt Knochner ♦
24.8k1039237
accept rate: 15%

edited 03 Aug '12, 01:42