This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Gather hosts information

0

Hi all,

I am trying to gather hosts information by using Tshark under Linux. My linux distro (Kali) is under VirtualBox, my computer is running Windows 7.

By reading wireshark book (second edition) I've found this command: tshark -i 1 -qz hosts > hostsinfo.txt to export host information to a file called hostsinfo.txt. Unfortunately, it doesn't work.

After waiting a couples of minutes, hostsinfos.txt file is totally empty.

Any idea?

Thanks in adavance for your help.

Olivier

asked 22 Apr '14, 05:08

Olivier's gravatar image

Olivier
11113
accept rate: 0%

edited 22 Apr '14, 05:10

One Answer:

0

tshark -i 1

well, interface 1 is probably lo0 (the loopback interface) in your VM.

Please run tshark with the name of the interface (eth0,eth1, etc.) you want to capture on

thsark -i eth0 ....

or figure out the interface number with dumpcap

dumpcap -D -M

Regards
Kurt

answered 22 Apr '14, 05:43

Kurt%20Knochner's gravatar image

Kurt Knochner ♦
24.8k1039237
accept rate: 15%

Hi Kurt,

Thanks for your feedback.

no I also used tshark -i eth0.

my first network interface is well eth0.

[email protected]:~# tshark -D
  1. eth0
  2. nflog
  3. any

  4. lo (Loopback)

    dumpcap -D -M provides the same information

Regards,

Olivier

(22 Apr '14, 05:53) Olivier

O.K. so, eth0 is indeed interface number 1.

So, what do you see, if you run the following command

tshark -i eth0

(22 Apr '14, 06:35) Kurt Knochner ♦

If I enter tshark -i eth0, I can see traffic (gateway, etc....) . So that's why I am so amazed. My VM is setup in bridged adapter.

Do you think I should wait for a very long time to be able to gather hosts?

Can an IPS prevent gathering hosts info?

(22 Apr '14, 06:59) Olivier

Do you think I should wait for a very long time to be able to gather hosts?

No, it works within a few seconds on my Ubuntu test system.

Please run the following command for a few seconds in one window

tshark -i 1 -qz hosts

Then in a second window ping some servers on the internet (www.google.com, ask.wireshark.org, etc.).

After that, stop tshark with CTRL-C and post all messages printed by tshark here.

BTW: Are you able to do DNS resolving in your VM?

(22 Apr '14, 07:36) Kurt Knochner ♦

Kurt, I did what you said

tshark -i 1 -qz hosts
Running as user "root" and group "root". This could be dangerous.
Capturing on 'eth0'
503 ^C
# TShark hosts output
#
# Host data gathered from /tmp/wireshark_pcapng_eth0_20140422164754_ISPcbO

162.159.241.165             ask.wireshark.org
162.159.242.165             ask.wireshark.org
173.194.41.160              google.com
173.194.41.167              google.com
173.194.41.165              google.com
173.194.41.174              google.com
173.194.41.166              google.com
173.194.41.168              google.com
173.194.41.161              google.com
173.194.41.169              google.com
173.194.41.164              google.com
173.194.41.163              google.com
173.194.41.162              google.com
64.4.11.37              microsoft.com
65.55.58.201                microsoft.com

I didn’t configure DNS resolving in my VM. I am using demo.local domain.

(22 Apr ‘14, 07:52) Olivier

Well, tshark prints the hosts output, as you can see.

So, what exactly does not work?

After waiting a couples of minutes, hostsinfos.txt file is totally empty.

Did you check the file content while tshark was running?

If so, you’ll have to end tshark to get the results, either on the console or in the file!

(22 Apr ‘14, 08:23) Kurt Knochner ♦
showing 5 of 6 show 1 more comments