A.2. Configuration Files and Folders

Wireshark uses a number of files and folders while it is running. Some of these reside in the personal configuration folder and are used to maintain information between runs of Wireshark, while some of them are maintained in system areas.

[Tip]Tip

A list of the folders Wireshark actually uses can be found under the Folders tab in the dialog box shown when you select About Wireshark from the Help menu.

The content format of the configuration files is the same on all platforms. However, to match the different policies for Unix and Windows platforms, different folders are used for these files.

Table A.1. Configuration files and folders overview

File/FolderDescriptionUnix/Linux foldersWindows folders
preferencesSettings from the Preferences dialog box./etc/wireshark.conf, $HOME/.wireshark/preferences%WIRESHARK%\wireshark.conf, %APPDATA%\Wireshark\preferences
recentRecent GUI settings (e.g. recent files lists).$HOME/.wireshark/recent%APPDATA%\Wireshark\recent
cfiltersCapture filters.$HOME/.wireshark/cfilters%WIRESHARK%\cfilters, %APPDATA%\Wireshark\cfilters
dfiltersDisplay filters.$HOME/.wireshark/dfilters%WIRESHARK%\dfilters, %APPDATA%\Wireshark\dfilters
colorfiltersColoring rules.$HOME/.wireshark/colorfilters%WIRESHARK%\colorfilters, %APPDATA%\Wireshark\colorfilters
disabled_protosDisabled protocols.$HOME/.wireshark/disabled_protos%WIRESHARK%\disabled_protos, %APPDATA%\Wireshark\disabled_protos
ethersEthernet name resolution./etc/ethers, $HOME/.wireshark/ethers%WIRESHARK%\ethers, %APPDATA%\Wireshark\ethers
manufEthernet name resolution./etc/manuf, $HOME/.wireshark/manuf%WIRESHARK%\manuf, %APPDATA%\Wireshark\manuf
hostsIPv4 and IPv6 name resolution./etc/hosts, $HOME/.wireshark/hosts%WIRESHARK%\hosts, %APPDATA%\Wireshark\hosts
servicesNetwork services./etc/services, $HOME/.wireshark/services%WIRESHARK%\services, %APPDATA%\Wireshark\services
subnetsIPv4 subnet name resolution./etc/subnets, $HOME/.wireshark/subnets%WIRESHARK%\subnets, %APPDATA%\Wireshark\subnets
ipxnetsIPX name resolution./etc/ipxnets, $HOME/.wireshark/ipxnets%WIRESHARK%\ipxnets, %APPDATA%\Wireshark\ipxnets
pluginsPlugin directories./usr/share/wireshark/plugins, /usr/local/share/wireshark/plugins, $HOME/.wireshark/plugins %WIRESHARK%\plugins\<version>, %APPDATA%\Wireshark\plugins
tempTemporary files.Environment: TMPDIREnvironment: TMPDIR or TEMP

[Note]Windows folders

%APPDATA% points to the personal configuration folder, e.g.: C:\Documents and Settings\<username>\Application Data (details can be found at: Section A.3.1, “Windows profiles”),

%WIRESHARK% points to the Wireshark program folder, e.g.: C:\Program Files\Wireshark

[Note]Unix/Linux folders

The /etc folder is the global Wireshark configuration folder. The folder actually used on your system may vary, maybe something like: /usr/local/etc.

$HOME is usually something like: /home/<username>

preferences/wireshark.conf

This file contains your Wireshark preferences, including defaults for capturing and displaying packets. It is a simple text file containing statements of the form:

variable: value
          

The settings from this file are read in at program start and written to disk when you press the Save button in the "Preferences" dialog box.

recent

This file contains various GUI related settings like the main window position and size, the recent files list and such. It is a simple text file containing statements of the form:

variable: value
          

It is read at program start and written at program exit.

cfilters

This file contains all the capture filters that you have defined and saved. It consists of one or more lines, where each line has the following format:

"<filter name>" <filter string>
          

The settings from this file are read in at program start and written to disk when you press the Save button in the "Capture Filters" dialog box.

dfilters

This file contains all the display filters that you have defined and saved. It consists of one or more lines, where each line has the following format:

"<filter name>" <filter string>
          

The settings from this file are read in at program start and written to disk when you press the Save button in the "Display Filters" dialog box.

colorfilters

This file contains all the color filters that you have defined and saved. It consists of one or more lines, where each line has the following format:

@<filter name>@<filter string>@[<bg RGB(16-bit)>][<fg RGB(16-bit)>]
          

The settings from this file are read in at program start and written to disk when you press the Save button in the "Coloring Rules" dialog box.

disabled_protos

Each line in this file specifies a disabled protocol name. The following are some examples:

tcp
udp
          

The settings from this file are read in at program start and written to disk when you press the Save button in the "Enabled Protocols" dialog box.

ethers

When Wireshark is trying to translate Ethernet hardware addresses to names, it consults the files listed in Table A.1, “Configuration files and folders overview”. If an address is not found in /etc/ethers, Wireshark looks in $HOME/.wireshark/ethers

Each line in these files consists of one hardware address and name separated by whitespace. The digits of hardware addresses are separated by colons (:), dashes (-) or periods(.). The following are some examples:

ff-ff-ff-ff-ff-ff    Broadcast
c0-00-ff-ff-ff-ff    TR_broadcast
00.2b.08.93.4b.a1    Freds_machine
          

The settings from this file are read in at program start and never written by Wireshark.

manuf

Wireshark uses the files listed in Table A.1, “Configuration files and folders overview” to translate the first three bytes of an Ethernet address into a manufacturers name. This file has the same format as the ethers file, except addresses are three bytes long.

An example is:

00:00:01    Xerox                  # XEROX CORPORATION
          

The settings from this file are read in at program start and never written by Wireshark.

hosts

Wireshark uses the files listed in Table A.1, “Configuration files and folders overview” to translate IPv4 and IPv6 addresses into names.

This file has the same format as the usual /etc/hosts file on Unix systems.

An example is:

# Comments must be prepended by the # sign!
192.168.0.1 homeserver
          

The settings from this file are read in at program start and never written by Wireshark.

services

Wireshark uses the files listed in Table A.1, “Configuration files and folders overview” to translate port numbers into names.

An example is:

mydns       5045/udp     # My own Domain Name Server
mydns       5045/tcp     # My own Domain Name Server
          

The settings from this file are read in at program start and never written by Wireshark.

subnets

Wireshark uses the files listed in Table A.1, “Configuration files and folders overview” to translate an IPv4 address into a subnet name. If no exact match from the hosts file or from DNS is found, Wireshark will attempt a partial match for the subnet of the address.

Each line of this file consists of an IPv4 address, a subnet mask length separated only by a '/' and a name separated by whitespace. While the address must be a full IPv4 address, any values beyond the mask length are subsequently ignored.

An example is:

# Comments must be prepended by the # sign!
192.168.0.0/24 ws_test_network
          

A partially matched name will be printed as "subnet-name.remaining-address". For example, "192.168.0.1" under the subnet above would be printed as "ws_test_network.1"; if the mask length above had been 16 rather than 24, the printed address would be "ws_test_network.0.1".

The settings from this file are read in at program start and never written by Wireshark.

ipxnets

Wireshark uses the files listed in Table A.1, “Configuration files and folders overview” to translate IPX network numbers into names.

An example is:

C0.A8.2C.00      HR
c0-a8-1c-00      CEO
00:00:BE:EF      IT_Server1
110f             FileServer3
          

The settings from this file are read in at program start and never written by Wireshark.

plugins folder

Wireshark searches for plugins in the directories listed in Table A.1, “Configuration files and folders overview”. They are searched in the order listed.

temp folder

If you start a new capture and don't specify a filename for it, Wireshark uses this directory to store that file; see Section 4.11, “Capture files and file modes”.

A.2.1. Protocol help configuration

Wireshark can use configuration files to create context-sensitive menu items for protocol detail items which will load help URLs in your web browser.

To create a protocol help file, create a folder named "protocol_help" in either the personal or global configuration folders. Then create a text file with the extension ".ini" in the "protocol_help" folder. The file must contain key-value pairs with the following sections:

[database]

Mandatory. This contains initialization information for the help file. The following keys must be defined:

source

Source name, e.g. "HyperGlobalMegaMart".

version

Must be "1".

location

General URL for help items. Variables can be substituted using the [location data] section below.

[location data]

Optional. Contains keys that will be used for variable substitution in the "location" value. For example, if the database section contains

location = http://www.example.com/proto?cookie=${cookie}&path=${PATH}
          

then setting

cookie = anonymous-user-1138
          

will result in the URL "http://www.example.com/proto?cookie=anonymous-user-1138&path=${PATH}". PATH is used for help path substitution, and shouldn't be defined in this section.

[map]

Maps Wireshark protocol names to section names below. Each key MUST match a valid protocol name such as "ip". Each value MUST have a matching section defined in the configuration file.

Each protocol section must contain an "_OVERVIEW" key which will be used as the first menu item for the help source. Subsequent keys must match descriptions in the protocol detail. Values will be used as the ${PATH} variable in the location template. If ${PATH} isn't present in the location template the value will be appended to the location.

Suppose the file C:\Users\sam.clemens\AppData\Roaming\Wireshark\protocol_help\wikipedia.ini contains the following:

# Wikipedia (en) protocol help file.

# Help file initialization
# source: The source of the help information, e.g. "Inacon" or "Wikipedia"
# version: Currently unused. Must be "1".
# url_template: Template for generated URLs. See "URL Data" below.
[database]
source=Wikipedia
version=1
url_template=http://${language}.wikipedia.org/wiki/${PATH}

# Substitution data for the location template.
# Each occurrence of the keys below in the location template will be
# substituted with their corresponding values. For example, "${license}"
# in the URL template above will be replaced with the value of "license"
# below.
#
# PATH is reserved for the help paths below; do not specify it here.
[location data]
language = en

# Maps Wireshark protocol names to section names below. Each key MUST match
# a valid protocol name. Each value MUST have a matching section below.
[map]
tcp=TCP

# Mapped protocol sections.
# Keys must match protocol detail items descriptions.
[TCP]
_OVERVIEW=Transmission_Control_Protocol
Destination port=Transmission_Control_Protocol#TCP_ports
Source port=Transmission_Control_Protocol#TCP_ports
      

Right-clicking on a TCP protocol detail item will display a help menu item that displays the Wikipedia page for TCP. Right-clicking on the TCP destination or source ports will display additional help menu items that take you to the "TCP ports" section of the page.

The [location data] and ${PATH} can be omitted if they are not needed. For example, the following configuration is functionally equivalent to the previous configuration:

[database]
source=Wikipedia
version=1
location=http://en.wikipedia.org/wiki/

[map]
tcp=TCP

[TCP]
_OVERVIEW=Transmission_Control_Protocol
Destination port=Transmission_Control_Protocol#TCP_ports
Source port=Transmission_Control_Protocol#TCP_ports