B.3. Configuration Files

Wireshark uses a number of configuration files while it is running. Some of these reside in the personal configuration folder and are used to maintain information between runs of Wireshark, while some of them are maintained in system areas.

The content format of the configuration files is the same on all platforms.

On Windows:

On Unix-like systems:

Table B.1. Configuration files overview

File/FolderDescription

cfilters

Capture filters.

colorfilters

Coloring rules.

dfilter_buttons

Display filter buttons.

dfilters

Display filters.

disabled_protos

Disabled protocols.

dmacros

Display filter macros.

ethers

Ethernet name resolution.

hosts

IPv4 and IPv6 name resolution.

ipxnets

IPX name resolution.

manuf

Ethernet name resolution.

preferences

Settings from the Preferences dialog box.

recent

Per-profile GUI settings.

recent_common

Common GUI settings.

services

Network services.

ss7pcs

SS7 point code resolution.

subnets

IPv4 subnet name resolution.

vlans

VLAN ID name resolution.

wka

Well-known MAC addresses.


File contents
cfilters

This file contains all the capture filters that you have defined and saved. It consists of one or more lines, where each line has the following format:

"<filter name>" <filter string>

At program start, if there is a cfilters file in the personal configuration folder, it is read. If there isn’t a cfilters file in the personal configuration folder, then, if there is a cfilters file in the global configuration folder, it is read.

When you press the Save button in the “Capture Filters” dialog box, all the current capture filters are written to the personal capture filters file.

colorfilters

This file contains all the color filters that you have defined and saved. It consists of one or more lines, where each line has the following format:

@<filter name>@<filter string>@[<bg RGB(16-bit)>][<fg RGB(16-bit)>]

At program start, if there is a colorfilters file in the personal configuration folder, it is read. If there isn’t a colorfilters file in the personal configuration folder, then, if there is a colorfilters file in the global configuration folder, it is read.

When you press the Save button in the “Coloring Rules” dialog box, all the current color filters are written to the personal color filters file.

dfilter_buttons

This file contains all the display filter buttons that you have defined and saved. It consists of one or more lines, where each line has the following format:

"TRUE/FALSE","<button label>","<filter string>","<comment string>"

where the first field is TRUE if the button is enabled (shown).

At program start, if there is a dfilter_buttons file in the personal configuration folder, it is read. If there isn’t a dfilter_buttons file in the personal configuration folder, then, if there is a dfilter_buttons file in the global configuration folder, it is read.

When you save any changes to the filter buttons, all the current display filter buttons are written to the personal display filter buttons file.

dfilters

This file contains all the display filters that you have defined and saved. It consists of one or more lines, where each line has the following format:

"<filter name>" <filter string>

At program start, if there is a dfilters file in the personal configuration folder, it is read. If there isn’t a dfilters file in the personal configuration folder, then, if there is a dfilters file in the global configuration folder, it is read.

When you press the Save button in the “Display Filters” dialog box, all the current display filters are written to the personal display filters file.

disabled_protos

Each line in this file specifies a disabled protocol name. The following are some examples:

tcp
udp

At program start, if there is a disabled_protos file in the global configuration folder, it is read first. Then, if there is a disabled_protos file in the personal configuration folder, that is read; if there is an entry for a protocol set in both files, the setting in the personal disabled protocols file overrides the setting in the global disabled protocols file.

When you press the Save button in the “Enabled Protocols” dialog box, the current set of disabled protocols is written to the personal disabled protocols file.

dmacros

This file contains all the display filter macros that you have defined and saved. It consists of one or more lines, where each line has the following format:

"<macro name>" <macro expression>

At program start, if there is a dmacros file in the personal configuration folder, it is read. If there isn’t a dmacros file in the personal configuration folder, then, if there is a dmacros file in the global configuration folder, it is read.

In versions of Wireshark prior to 4.4, the display filter macros were stored in a dfilter_macros file with a somewhat different format, a UAT. At program start if the dmacros file is not found a dfilter_macros file is looked for in the personal and global configuration folders and converted to the new format.

When you press the Save button in the "Display Filter Macros" dialog box, all the current display filter macros are written to the personal display filter macros file.

More information about Display Filter Macros is available in Section 6.7, “Defining And Saving Filter Macros”

ethers

When Wireshark is trying to translate a hardware MAC or EUI-64 address to a name, it consults the ethers file in the personal configuration folder first. If the address is not found in that file, Wireshark consults the ethers file in the system configuration folder.

This file has a similar format to the /etc/ethers file on some UNIX-like systems. Each line in these files consists of one hardware address and name separated by whitespace (tabs or spaces). The hardware addresses are expressed as pairs of hexadecimal digits separated by colons (:), dashes (-), or periods(.), with the same separator used in the entire address. A # can be used to indicate a comment that extends to the rest of the line. NIS lookups, as in some UNIX-like systems, are not supported. Both 6 byte MAC and 8 byte EUI-64 addresses are supported. The following are some examples:

ff-ff-ff-ff-ff-ff    Broadcast
c0-00-ff-ff-ff-ff    TR_broadcast
00.2b.08.93.4b.a1    Freds_machine
00:00:00:00:00:00:00:00    zb_zero_broadcast

The settings from this file are read in at program start, and reloaded when opening a new capture file or changing the configuration profile, and never written by Wireshark.

hosts

Wireshark uses the entries in the hosts files to translate IPv4 and IPv6 addresses into names.

At program start, if there is a hosts file in the global configuration folder, it is read first. Then, if there is a hosts file in the personal configuration folder, that is read; if there is an entry for a given IP address in both files, the setting in the personal hosts file overrides the entry in the global hosts file.

This file has the same format as the usual /etc/hosts file on Unix systems.

An example is:

# Comments must be prepended by the # sign!
192.168.0.1 homeserver

The settings from this file are read in at program start, and reloaded when opening a new capture file or changing the configuration profile, and never written by Wireshark.

ipxnets

When Wireshark is trying to translate an IPX network number to a name, it consults the ipxnets file in the personal configuration folder first. If the address is not found in that file, Wireshark consults the ipxnets file in the system configuration folder.

An example is:

C0.A8.2C.00      HR
c0-a8-1c-00      CEO
00:00:BE:EF      IT_Server1
110f             FileServer3

The settings from this file are read in when an IPX network number is to be translated to a name, and never written by Wireshark.

manuf

At program start, if there is a manuf file in the global configuration folder, it is read first. Then, if there is a manuf file in the personal configuration folder, that is read; if there is an entry for a given address prefix in both files, the setting in the personal file overrides the entry in the global file.

The entries in this file are used to translate MAC address prefixes into short and long manufacturer names. Each line consists of a MAC address prefix followed by an abbreviated manufacturer name and the full manufacturer name. Prefixes 24 bits long by default and may be followed by an optional length. Note that this is not the same format as the ethers file, which does not allow prefix lengths.

Examples are:

00:00:01        Xerox   Xerox Corporation
00:50:C2:00:30:00/36      Microsof        Microsoft

In earlier versions of Wireshark, official information from the IEEE Registration Authority was distributed in this format as the manuf file in the global configuration folder. In current versions of Wireshark, this information is compiled into the program to speed startup, but if a file is present in the global configuration folder it is still read, and can be used to supplement or replace the official data just as the personal file does. The compiled-in information can be written out in this format as a report with tshark -G manuf.

The settings from this file are read in at program start, and reloaded when opening a new capture file or changing the configuration profile, and never written by Wireshark.

preferences

This file contains your Wireshark preferences, including defaults for capturing and displaying packets. It is a simple text file containing statements of the form:

variable: value

At program start, if there is a preferences file in the global configuration folder, it is read first. Then, if there is a preferences file in the personal configuration folder, that is read; if there is a preference set in both files, the setting in the personal preferences file overrides the setting in the global preference file.

If you press the Save button in the “Preferences” dialog box, all the current settings are written to the personal preferences file.

recent

This file contains GUI settings that are specific to the current profile, such as column widths and toolbar visibility. It is a simple text file containing statements of the form:

variable: value

It is read at program start and written when preferences are saved and at program exit. It is also written and read whenever you switch to a different profile.

recent_common

This file contains common GUI settings, such as recently opened capture files, recently used filters, and window geometries. It is a simple text file containing statements of the form:

variable: value

It is read at program start and written when preferences are saved and at program exit.

services

Wireshark uses the services files to translate port numbers into names.

At program start, if there is a services file in the global configuration folder, it is read first. Then, if there is a services file in the personal configuration folder, that is read; if there is an entry for a given port number in both files, the setting in the personal services file overrides the entry in the global services file. The format is that of the standard services(5) file on UNIX-compatible systems.

An example is:

mydns       5045/udp     # My own Domain Name Server
mydns       5045/tcp     # My own Domain Name Server

In earlier versions of Wireshark, official information from the IANA Service Name and Transport Protocol Port Number Registry was distributed in this format as the services file in the global configuration folder. In current versions of Wireshark, this information is compiled into the program to speed startup, but if a file is present in the global configuration folder it is still read, and can be used to supplement or replace the official data just as the personal file does. The compiled-in information can be written out in this format as a report with tshark -G services.

The settings from this file are read in at program start, and reloaded when opening a new capture file or changing the configuration profile, and never written by Wireshark.

ss7pcs

Wireshark uses the ss7pcs file to translate SS7 point codes to node names.

At program start, if there is a ss7pcs file in the personal configuration folder, it is read.

Each line in this file consists of one network indicator followed by a dash followed by a point code in decimal and a node name separated by whitespace or tab.

An example is:

2-1234 MyPointCode1

The settings from this file are read in at program start, and reloaded when opening a new capture file opens or changing the configuration profile, and never written by Wireshark.

subnets

Wireshark uses the subnets file to translate an IPv4 address into a subnet name. If no exact match from a hosts file or from DNS is found, Wireshark will attempt a partial match for the subnet of the address.

At program start, if there is a subnets file in the personal configuration folder, it is read first. Then, if there is a subnets file in the global configuration folder, that is read; if there is a preference set in both files, the setting in the global preferences file overrides the setting in the personal preference file.

Each line in one of these files consists of an IPv4 address, a subnet mask length separated only by a “/” and a name separated by whitespace. While the address must be a full IPv4 address, any values beyond the mask length are subsequently ignored.

An example is:

# Comments must be prepended by the # sign!
192.168.0.0/24 ws_test_network

A partially matched name will be printed as “subnet-name.remaining-address”. For example, “192.168.0.1” under the subnet above would be printed as “ws_test_network.1”; if the mask length above had been 16 rather than 24, the printed address would be “ws_test_network.0.1”.

The settings from this file are read in at program start, and reloaded when opening a new capture file or changing the configuration profile, and never written by Wireshark.

The subnets file also changes the behavior of the Endpoints and Conversations Statistics dialogs for the IPv4 protocol when the IPv4 user preference Aggregate subnets in Statistics Dialogs is enabled. In this case, when an IPv4 address matches a subnet, the statistics dialog will show this subnet instead of the IPv4 address.

vlans

Wireshark uses the vlans file to translate VLAN tag IDs into names.

If there is a vlans file in the currently active profile folder, it is used. Otherwise, the vlans file in the personal configuration folder is used.

Each line in this file consists of one VLAN tag ID and a describing name separated by whitespace or tab.

An example is:

123     Server-LAN
2049    HR-Client-LAN

The settings from this file are read in when a VLAN ID is to be translated to a name, and never written by Wireshark.

wka

At program start, if there is a wka file in the global configuration folder, it is read.

The entries in this file are used to translate MAC addresses and MAC address prefixes into names. The format is that of the manuf file. This file is distributed with Wireshark, and contains data assembled from various non IEEE but respected sources.

The settings from this file are read in at program start, and reloaded when opening a new capture file or changing the configuration profile, and never written by Wireshark.