From: Jasper Bongertz <[email protected]>
Date: Thu, 21 Mar 2019 11:38:04 +0100
Hi Roland,

When network name resolution is enabled, Wireshark tries to resolve names via hosts file, DNS reverse lookup and by using DNS answer records it found in the pcap. There might be more mechanisms, but these are the ones I am currently aware of.

I would expect it to work like this: there should be a priority of the lookup where the hosts file has the highest priority because that's the one a user can influence and override values she/he doesn't like, e.g. things like DNS resolutions found in the pcap. Second are the DNS answers found in the pcap, and finally an active reverse lookup (unless disabled in the preferences)

For the hosts file, there should be a prioritized list of where to look: current profile folder, Wireshark install folder (because some people put theirs there in the past, like me), and finally the system hosts file. That would allow creating different profiles with alternative hosts files a user can switch.


No, currently Wireshark does not switch hosts files with the profiles (to be quite honest, wasn't even aware, that we support something like using non-system hosts files at all).

Currently I am in the middle of rewriting the profile system and can put this on the todo list. Could you describe the behavior a little bit?

kind regards

Am Do., 21. März 2019 um 10:17 Uhr schrieb Jasper Bongertz <
[email protected]>:

Hi Graham,

I just saw this:

My first impulse was "put the hosts in a profile directory and switch it via profiles", but when I tested that it didn't work (no names resolved). I'm not sure if the hosts file is even read when it's in a profile directory, or where exactly Wireshark expects a hosts file. Do you know if that's supposed to work?


