This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

tshark -H -W n name resolution using hosts file

0

I'm trying to resolve ip addresses using a hosts file and it works well with the wireshark GUI (1.8.7) when the hosts file is in my Personal Configuration folder. Now I came across the tshark -H <hosts file> which seemed quite interesting

  -H <hosts file>       read a list of entries from a hosts file, which will
            then be written to a capture file. (Implies -W n)

So I tried the following command that will save host name resolution records along with captured packets. as per http://www.wireshark.org/docs/man-pages/tshark.html

tshark -r swg186.pcapng -H hosts -w swg186.dns.pcapng -F pcapng -W n

Well, obviously it didn't :-( - or I'm not seeing it...

Am i missing something here?

Yes, resolution works on other machine without external host file. alt text

asked 24 Oct '13, 05:29

mrEEde's gravatar image

mrEEde
3.9k152270
accept rate: 20%

edited 24 Oct '13, 06:45

Looks like it actually did what it was supposed to do... Every address is now resolved - even without a matching hosts file in the wireshark GUI.
Will send it to another machine and check

(24 Oct '13, 06:08) mrEEde

One Answer:

0

Answering my own - stupid? - question ... The name resolution is done without any external resources (hosts file or DNS) once the command

tshark -r swg186.pcapng -H hosts -w swg186.dns.pcapng -F pcapng -W n

is issued. This information is stored (somewhere) in the pcapng file.

answered 24 Oct '13, 06:49

mrEEde's gravatar image

mrEEde
3.9k152270
accept rate: 20%