Hello, I have captured a Wireshark file and would like to extract some information using Tshark. The below command is what I have been using: tshark -r c:\temp\test.pcap >c:\temp\test1.csv -T fields -e ip.src_host -e ip.dst_host -e ip.proto Issue 1 = Not resolving IP addresses to network names. When I captured the PCAP file, I had "Enable Name Resolution". But after exporting to CSV, the IP addresses are not resolved. If I do not export to a CSV file, then the names are resolved to the stdout (screen). Issue 2 = The "ip.proto" filed does print the protocol, but as a number. Is there a way to print the protocol as a text. For example, ip.proto = 6 should be printed as TCP. asked 07 Sep '12, 12:37 Amato_C |
2 Answers:
Technically, "127.0.0.1", or whatever the IP address is, and 6 are the values of the field, so that's what it's printing. The problem is that there really should be a way to, in the answered 07 Sep '12, 14:32 Guy Harris ♦♦ |
This works well on my system (Win7_64, WS 1.8.x). ip.src_host and ip.dst_host DO print the resolved names, but only if name resolution is enabled while tshark runs. From your bug report.
What do you mean bye "only known IP addresses" are beeing resolved? Tshark asks the resolver of the OS and if the resolver is unable to resolve an IP address to a name (no PTR record, timeout, whatever problem else), it cannot show the resolved names. Maybe I don't fully understand your problem, but it works as expected on my system. However, it does not help to enable name resolution during capturing. If you want Wireshark to store the resolved names during the capture phase, wireshark needs to be extended to write those names (plus the raw IP addresses) to a pcapng file and tshark/wireshark needs to be extended as mentioned by Guy Harris. Regards answered 10 Sep '12, 09:19 Kurt Knochner ♦ Thank you for the reply Kurt. Let me better explain what I mean by "only known addresses" are being resolved. The PCAP file I included in the bug report contains both public and private IP addresses. After executing the Tshark command, the prublic IP addresses are being resolved. For example: 74.125.137.94 resolves to www.google.ca (packet #5). However, the private IP addresses are not being resolved in the Tshark analysis. Referring to PCAP file in the bug report, please look at packet #6. In the Tshark analysis, the private IP address is not being resolved. Wireshark resolves these IPs (10 Sep '12, 11:49) Amato_C
O.K. if that's the case, I would think it's a bug. Are you sure that name resolving for those private addresses do work in your environment? Do you have PTR records for them in your local DNS server? (10 Sep '12, 18:55) Kurt Knochner ♦ I am certain that the names are being resolved in Wireshark and not in Tshark. Yes, the PTR records exist. I created bug 7712. (11 Sep '12, 06:36) Amato_C |
I submitted bug 7712