Wireshark mailing list archives
Re: PCAPng Name Resolution Blocks
From: Jeff Morriss <jeff.morriss.ws () gmail com>
Date: Mon, 21 Jan 2013 16:10:55 -0500
Jasper Bongertz wrote:
Hi all, can anyone tell me when Wireshark/Dumpcap will actually write a Name Resolution Block to a pcapng file? I have a file written with an older dumpcap version (I guess it was pre 1.8) that contains a NRB but the latest 1.9 build doesn't seem to do that at all. I tried with DNS queries enabled, and even edited a hosts file to see under which circumstances the resulting pcapng file would contain a NRB. It didn't work, no matter what I tried. Is it possible that the code writing this kind of block is not being called anymore? I'd expect Wireshark to write a NRB containing all records whenever a name resolution is not coming from DNS packets contained in a file (which would make it reproducable when opening the file, even without the NRB).
Wireshark should be writing an NRB whenever you do File->Save or File->Save As. The contents will be whatever is in Wireshark's internal name database at the time (this will contain name<->IP mappings which have come from e.g. DNS packets we've seen as well as anything Wireshark retrieved from the system name resolver).
dumpcap itself won't write NRBs so you won't see them if you're writing to multiple files (ring buffer mode) or otherwise aren't doing File->Save type actions.
There was a while in trunk where NRBs weren't being written but I thought it was fixed (okay, I know it was fixed at that time). Hmm, but it does appear to be broken again (I just tried). :-(
___________________________________________________________________________ Sent via: Wireshark-dev mailing list <wireshark-dev () wireshark org> Archives: http://www.wireshark.org/lists/wireshark-dev Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev mailto:wireshark-dev-request () wireshark org?subject=unsubscribe
Current thread:
- PCAPng Name Resolution Blocks Jasper Bongertz (Jan 20)
- Re: PCAPng Name Resolution Blocks Jeff Morriss (Jan 21)