Follow Techotopia on Twitter

On-line Guides
All Guides
eBook Store
iOS / Android
Linux for Beginners
Office Productivity
Linux Installation
Linux Security
Linux Utilities
Linux Virtualization
Linux Kernel
System/Network Admin
Programming
Scripting Languages
Development Tools
Web Development
GUI Toolkits/Desktop
Databases
Mail Systems
openSolaris
Eclipse Documentation
Techotopia.com
Virtuatopia.com
Answertopia.com

How To Guides
Virtualization
General System Admin
Linux Security
Linux Filesystems
Web Servers
Graphics & Desktop
PC Hardware
Windows
Problem Solutions
Privacy Policy

  




 

 

A.2. Configuration Files and Folders
Prev Appendix A. Files and Folders Next

A.2. Configuration Files and Folders

Wireshark uses a number of files and folders while it is running. Some of these reside in the personal configuration folder and are used to maintain information between runs of Wireshark, while some of them are maintained in system areas.

[Tip] Tip

A list of the folders Wireshark actually uses can be found under the Folders tab in the dialog box shown when you select About Wireshark from the Help menu.

The content format of the configuration files is the same on all platforms. However, to match the different policies for Unix and Windows platforms, different folders are used for these files.

Table A.1. Configuration files and folders overview

File/Folder Description Unix/Linux folders Windows folders
preferences Settings from the Preferences dialog box. /etc/wireshark.conf, $HOME/.wireshark/preferences %WIRESHARK%\wireshark.conf, %APPDATA%\Wireshark\preferences
recent Recent GUI settings (e.g. recent files lists). $HOME/.wireshark/recent %APPDATA%\Wireshark\recent
cfilters Capture filters. $HOME/.wireshark/cfilters %WIRESHARK%\cfilters, %APPDATA%\Wireshark\cfilters
dfilters Display filters. $HOME/.wireshark/dfilters %WIRESHARK%\dfilters, %APPDATA%\Wireshark\dfilters
colorfilters Coloring rules. $HOME/.wireshark/colorfilters %WIRESHARK%\colorfilters, %APPDATA%\Wireshark\colorfilters
disabled_protos Disabled protocols. $HOME/.wireshark/disabled_protos %WIRESHARK%\disabled_protos, %APPDATA%\Wireshark\disabled_protos
ethers Ethernet name resolution. /etc/ethers, $HOME/.wireshark/ethers %WIRESHARK%\ethers, %APPDATA%\Wireshark\ethers
manuf Ethernet name resolution. /etc/manuf, $HOME/.wireshark/manuf %WIRESHARK%\manuf, %APPDATA%\Wireshark\manuf
hosts IPv4 and IPv6 name resolution. /etc/hosts, $HOME/.wireshark/hosts %WIRESHARK%\hosts, %APPDATA%\Wireshark\hosts
services Network services. /etc/services, $HOME/.wireshark/services %WIRESHARK%\services, %APPDATA%\Wireshark\services
subnets IPv4 subnet name resolution. /etc/subnets, $HOME/.wireshark/subnets %WIRESHARK%\subnets, %APPDATA%\Wireshark\subnets
ipxnets IPX name resolution. /etc/ipxnets, $HOME/.wireshark/ipxnets %WIRESHARK%\ipxnets, %APPDATA%\Wireshark\ipxnets
plugins Plugin directories. /usr/share/wireshark/plugins, /usr/local/share/wireshark/plugins, $HOME/.wireshark/plugins %WIRESHARK%\plugins\<version>, %APPDATA%\Wireshark\plugins
temp Temporary files. Environment: TMPDIR Environment: TMPDIR or TEMP
[Note] Windows folders

%APPDATA% points to the personal configuration folder, e.g.: C:\Documents and Settings\<username>\Application Data (details can be found at: Section A.3.1, “Windows profiles”),

%WIRESHARK% points to the Wireshark program folder, e.g.: C:\Program Files\Wireshark

[Note] Unix/Linux folders

The /etc folder is the global Wireshark configuration folder. The folder actually used on your system may vary, maybe something like: /usr/local/etc.

$HOME is usually something like: /home/<username>

preferences/wireshark.conf

This file contains your Wireshark preferences, including defaults for capturing and displaying packets. It is a simple text file containing statements of the form: 

variable: value

The settings from this file are read in at program start and written to disk when you press the Save button in the "Preferences" dialog box.

recent

This file contains various GUI related settings like the main window position and size, the recent files list and such. It is a simple text file containing statements of the form: 

variable: value

It is read at program start and written at program exit.

cfilters

This file contains all the capture filters that you have defined and saved. It consists of one or more lines, where each line has the following format: 

"<filter name>" <filter string>

The settings from this file are read in at program start and written to disk when you press the Save button in the "Capture Filters" dialog box.

dfilters

This file contains all the display filters that you have defined and saved. It consists of one or more lines, where each line has the following format: 

"<filter name>" <filter string>

The settings from this file are read in at program start and written to disk when you press the Save button in the "Display Filters" dialog box.

colorfilters

This file contains all the color filters that you have defined and saved. It consists of one or more lines, where each line has the following format: 

@<filter name>@<filter string>@[<bg RGB(16-bit)>][<fg RGB(16-bit)>]

The settings from this file are read in at program start and written to disk when you press the Save button in the "Coloring Rules" dialog box.

disabled_protos

Each line in this file specifies a disabled protocol name. The following are some examples: 

tcp
udp

The settings from this file are read in at program start and written to disk when you press the Save button in the "Enabled Protocols" dialog box.

ethers

When Wireshark is trying to translate Ethernet hardware addresses to names, it consults the files listed in Table A.1, “Configuration files and folders overview”. If an address is not found in /etc/ethers, Wireshark looks in $HOME/.wireshark/ethers

Each line in these files consists of one hardware address and name separated by whitespace. The digits of hardware addresses are separated by colons (:), dashes (-) or periods(.). The following are some examples: 

ff-ff-ff-ff-ff-ff    Broadcast
c0-00-ff-ff-ff-ff    TR_broadcast
00.2b.08.93.4b.a1    Freds_machine

The settings from this file are read in at program start and never written by Wireshark.

manuf

Wireshark uses the files listed in Table A.1, “Configuration files and folders overview” to translate the first three bytes of an Ethernet address into a manufacturers name. This file has the same format as the ethers file, except addresses are three bytes long.

An example is: 

00:00:01	Xerox                  # XEROX CORPORATION

The settings from this file are read in at program start and never written by Wireshark.

hosts

Wireshark uses the files listed in Table A.1, “Configuration files and folders overview” to translate IPv4 and IPv6 addresses into names.

This file has the same format as the usual /etc/hosts file on Unix systems.

An example is: 

# Comments must be prepended by the # sign!
192.168.0.1 homeserver

The settings from this file are read in at program start and never written by Wireshark.

services

Wireshark uses the files listed in Table A.1, “Configuration files and folders overview” to translate port numbers into names.

An example is: 

mydns       5045/udp     # My own Domain Name Server
mydns       5045/tcp     # My own Domain Name Server

The settings from this file are read in at program start and never written by Wireshark.

subnets

Wireshark uses the files listed in Table A.1, “Configuration files and folders overview” to translate an IPv4 address into a subnet name. If no exact match from the hosts file or from DNS is found, Wireshark will attempt a partial match for the subnet of the address.

Each line of this file consists of an IPv4 address, a subnet mask length separated only by a '/' and a name separated by whitespace. While the address must be a full IPv4 address, any values beyond the mask length are subsequently ignored.

An example is: 

# Comments must be prepended by the # sign!
192.168.0.0/24 ws_test_network

A partially matched name will be printed as "subnet-name.remaining-address". For example, "192.168.0.1" under the subnet above would be printed as "ws_test_network.1"; if the mask length above had been 16 rather than 24, the printed address would be "ws_test_network.0.1".

The settings from this file are read in at program start and never written by Wireshark.

ipxnets

Wireshark uses the files listed in Table A.1, “Configuration files and folders overview” to translate IPX network numbers into names.

An example is: 

C0.A8.2C.00      HR
c0-a8-1c-00      CEO
00:00:BE:EF      IT_Server1
110f             FileServer3

The settings from this file are read in at program start and never written by Wireshark.

plugins folder

Wireshark searches for plugins in the directories listed in Table A.1, “Configuration files and folders overview”. They are searched in the order listed.

temp folder

If you start a new capture and don't specify a filename for it, Wireshark uses this directory to store that file; see Section 4.7, “Capture files and file modes”.

Prev Up Next
Appendix A. Files and Folders Home A.3. Windows folders

 
 
  Published under the terms fo the GNU General Public License Design by Interspire