Is there any way to SAVE manually resolved addresses to LOAD them next time Wireshark runs? asked 22 Feb '12, 09:21  contradictor_ edited 23 Feb '12, 17:18  multipleinte... |
2 Answers:
You can create a hosts file and put it in the Wireshark configuration directory. This file follows the same format as the standard Windows or UNIX hosts file. Wireshark will read this file at startup and will use it as long as network name resolution is enabled. Note that Wireshark will only read this file at startup, so if you make changes while Wireshark is running, you will need to shut down Wireshark and restart for the changes to take effect. See Preferences/Name Resolution on the Wireshark Wiki. answered 23 Feb '12, 10:57  Jim Aragon edited 23 Feb '12, 11:23 multipleinte... |
With the development version using pcap-ng file format - yes. answered 22 Feb '12, 11:42  Anders ♦ |
Anders, how to tell wireshark that, for example, 8.8.8.8 is "foo" and 4.2.2.2 is "bar" (manually resolve), when starting a new capture?
That's a separate question - see (this question)[http://ask.wireshark.org/questions/3832/how-can-i-manually-resolve-ip-addresses], and the other answer to your question, for the only current answer.
At some point it might be useful to have a UI from within Wireshark to manually add name resolution values, but no such UI currently exists.
Actually if you right-click on an IP address (or, it seems a frame) in the packet-list pane then there is a "Manually resolve address" option where you can enter a IP<->hostname translation. It does NOT appear to work if you right click in the packet-details pane (e.g., on an IP address).