Jasper Bongertz wrote:
Hi all,
can anyone tell me when Wireshark/Dumpcap will actually write a Name
Resolution Block to a pcapng file? I have a file written with an older
dumpcap version (I guess it was pre 1.8) that contains a NRB but the
latest 1.9 build doesn't seem to do that at all.
I tried with DNS queries enabled, and even edited a hosts file to see
under which circumstances the resulting pcapng file would contain a
NRB. It didn't work, no matter what I tried. Is it possible that the
code writing this kind of block is not being called anymore?
I'd expect Wireshark to write a NRB containing all records whenever a
name resolution is not coming from DNS packets contained in a file
(which would make it reproducable when opening the file, even without
the NRB).
Wireshark should be writing an NRB whenever you do File->Save or
File->Save As. The contents will be whatever is in Wireshark's internal
name database at the time (this will contain name<->IP mappings which
have come from e.g. DNS packets we've seen as well as anything Wireshark
retrieved from the system name resolver).
dumpcap itself won't write NRBs so you won't see them if you're writing
to multiple files (ring buffer mode) or otherwise aren't doing
File->Save type actions.
There was a while in trunk where NRBs weren't being written but I
thought it was fixed (okay, I know it was fixed at that time). Hmm, but
it does appear to be broken again (I just tried). :-(