Wireshark-dev: Re: [Wireshark-dev] PCAPng Name Resolution Blocks
From: Jeff Morriss <jeff.morriss.ws@xxxxxxxxx>
Date: Mon, 21 Jan 2013 16:10:55 -0500
Jasper Bongertz wrote:
Hi all,

can anyone tell me when Wireshark/Dumpcap will actually write a Name
Resolution Block to a pcapng file? I have a file written with an older
dumpcap version (I guess it was pre 1.8) that contains a NRB but the
latest 1.9 build doesn't seem to do that at all.

I tried with DNS queries enabled, and even edited a hosts file to see
under which circumstances the resulting pcapng file would contain a
NRB. It didn't work, no matter what I tried. Is it possible that the
code writing this kind of block is not being called anymore?

I'd expect Wireshark to write a NRB containing all records whenever a
name resolution is not coming from DNS packets contained in a file
(which would make it reproducable when opening the file, even without
the NRB).

Wireshark should be writing an NRB whenever you do File->Save or File->Save As. The contents will be whatever is in Wireshark's internal name database at the time (this will contain name<->IP mappings which have come from e.g. DNS packets we've seen as well as anything Wireshark retrieved from the system name resolver).

dumpcap itself won't write NRBs so you won't see them if you're writing to multiple files (ring buffer mode) or otherwise aren't doing File->Save type actions.

There was a while in trunk where NRBs weren't being written but I thought it was fixed (okay, I know it was fixed at that time). Hmm, but it does appear to be broken again (I just tried). :-(