Wireshark uses a number of configuration files while it is running. Some of these reside in the personal configuration folder and are used to maintain information between runs of Wireshark, while some of them are maintained in system areas.
The content format of the configuration files is the same on all platforms.
On Windows:
On Unix-like systems:
Table B.1. Configuration files overview
| File/Folder | Description |
|---|---|
cfilters | Capture filters. |
colorfilters | Coloring rules. |
dfilter_buttons | Display filter buttons. |
dfilters | Display filters. |
disabled_protos | Disabled protocols. |
dmacros | Display filter macros. |
ethers | Ethernet name resolution. |
hosts | IPv4 and IPv6 name resolution. |
ipxnets | IPX name resolution. |
manuf | Ethernet name resolution. |
preferences | Settings from the Preferences dialog box. |
recent | Per-profile GUI settings. |
recent_common | Common GUI settings. |
services | Network services. |
ss7pcs | SS7 point code resolution. |
subnets | IPv4 subnet name resolution. |
vlans | VLAN ID name resolution. |
wka | Well-known MAC addresses. |
This file contains all the capture filters that you have defined and saved. It consists of one or more lines, where each line has the following format:
"<filter name>" <filter string>
At program start, if there is a cfilters file in the personal configuration folder, it is read. If there isn’t a cfilters file in the personal configuration folder, then, if there is a cfilters file in the global configuration folder, it is read.
When you press the Save button in the “Capture Filters” dialog box, all the current capture filters are written to the personal capture filters file.
This file contains all the color filters that you have defined and saved. It consists of one or more lines, where each line has the following format:
@<filter name>@<filter string>@[<bg RGB(16-bit)>][<fg RGB(16-bit)>]
At program start, if there is a colorfilters file in the personal configuration folder, it is read. If there isn’t a colorfilters file in the personal configuration folder, then, if there is a colorfilters file in the global configuration folder, it is read.
When you press the Save button in the “Coloring Rules” dialog box, all the current color filters are written to the personal color filters file.
This file contains all the display filter buttons that you have defined and saved. It consists of one or more lines, where each line has the following format:
"TRUE/FALSE","<button label>","<filter string>","<comment string>"
where the first field is TRUE if the button is enabled (shown).
At program start, if there is a dfilter_buttons file in the personal configuration folder, it is read. If there isn’t a dfilter_buttons file in the personal configuration folder, then, if there is a dfilter_buttons file in the global configuration folder, it is read.
When you save any changes to the filter buttons, all the current display filter buttons are written to the personal display filter buttons file.
This file contains all the display filters that you have defined and saved. It consists of one or more lines, where each line has the following format:
"<filter name>" <filter string>
At program start, if there is a dfilters file in the personal configuration folder, it is read. If there isn’t a dfilters file in the personal configuration folder, then, if there is a dfilters file in the global configuration folder, it is read.
When you press the Save button in the “Display Filters” dialog box, all the current display filters are written to the personal display filters file.
Each line in this file specifies a disabled protocol name. The following are some examples:
tcp udp
At program start, if there is a disabled_protos file in the global configuration folder, it is read first. Then, if there is a disabled_protos file in the personal configuration folder, that is read; if there is an entry for a protocol set in both files, the setting in the personal disabled protocols file overrides the setting in the global disabled protocols file.
When you press the Save button in the “Enabled Protocols” dialog box, the current set of disabled protocols is written to the personal disabled protocols file.
This file contains all the display filter macros that you have defined and saved. It consists of one or more lines, where each line has the following format:
"<macro name>" <macro expression>
At program start, if there is a dmacros file in the personal configuration folder, it is read. If there isn’t a dmacros file in the personal configuration folder, then, if there is a dmacros file in the global configuration folder, it is read.
In versions of Wireshark prior to 4.4, the display filter macros were stored in a dfilter_macros file with a somewhat different format, a UAT. At program start if the dmacros file is not found a dfilter_macros file is looked for in the personal and global configuration folders and converted to the new format.
When you press the Save button in the "Display Filter Macros" dialog box, all the current display filter macros are written to the personal display filter macros file.
More information about Display Filter Macros is available in Section 6.7, “Defining And Saving Filter Macros”
When Wireshark is trying to translate a hardware MAC address to a name, it consults the ethers file in the personal configuration folder first. If the address is not found in that file, Wireshark consults the ethers file in the system configuration folder.
This file has a similar format to the /etc/ethers file on some Unix-like systems.
Each line in these files consists of one hardware address and name separated by
whitespace (tabs or spaces). The hardware addresses are expressed as pairs
of hexadecimal digits separated by colons (:), dashes (-), or periods(.), with
the same separator used in the entire address. A # can be used to indicate
a comment that extends to the rest of the line. NIS lookups, as in some
UNIX-like systems, are not supported. The following are some examples:
ff-ff-ff-ff-ff-ff Broadcast c0-00-ff-ff-ff-ff TR_broadcast 00.2b.08.93.4b.a1 Freds_machine
The settings from this file are read in when a MAC address is to be translated to a name, and never written by Wireshark.
Wireshark uses the entries in the hosts files to translate IPv4 and IPv6 addresses into names.
At program start, if there is a hosts file in the global configuration folder, it is read first. Then, if there is a hosts file in the personal configuration folder, that is read; if there is an entry for a given IP address in both files, the setting in the personal hosts file overrides the entry in the global hosts file.
This file has the same format as the usual /etc/hosts file on Unix systems.
An example is:
# Comments must be prepended by the # sign! 192.168.0.1 homeserver
The settings from this file are read in at program start and never written by Wireshark.
When Wireshark is trying to translate an IPX network number to a name, it consults the ipxnets file in the personal configuration folder first. If the address is not found in that file, Wireshark consults the ipxnets file in the system configuration folder.
An example is:
C0.A8.2C.00 HR c0-a8-1c-00 CEO 00:00:BE:EF IT_Server1 110f FileServer3
The settings from this file are read in when an IPX network number is to be translated to a name, and never written by Wireshark.
At program start, if there is a manuf file in the global configuration folder, it is read first. Then, if there is a manuf file in the personal configuration folder, that is read; if there is an entry for a given address prefix in both files, the setting in the personal file overrides the entry in the global file.
The entries in this file are used to translate MAC address prefixes into short and long manufacturer names. Each line consists of a MAC address prefix followed by an abbreviated manufacturer name and the full manufacturer name. Prefixes 24 bits long by default and may be followed by an optional length. Note that this is not the same format as the ethers file, which does not allow prefix lengths.
Examples are:
00:00:01 Xerox Xerox Corporation 00:50:C2:00:30:00/36 Microsof Microsoft
In earlier versions of Wireshark, official information from the IEEE
Registration Authority was distributed in this format as the manuf file
in the global configuration folder. In current versions of Wireshark, this
information is compiled into the program to speed startup, but if a file
is present in the global configuration folder it is still read, and can
be used to supplement or replace the official data just as the personal
file does. The compiled-in information can be written out in this format
as a report with tshark -G manuf.
The settings from this file are read in at program start and never written by Wireshark.
This file contains your Wireshark preferences, including defaults for capturing and displaying packets. It is a simple text file containing statements of the form:
variable: value
At program start, if there is a preferences file in the global configuration folder, it is read first. Then, if there is a preferences file in the personal configuration folder, that is read; if there is a preference set in both files, the setting in the personal preferences file overrides the setting in the global preference file.
If you press the Save button in the “Preferences” dialog box, all the current settings are written to the personal preferences file.
This file contains GUI settings that are specific to the current profile, such as column widths and toolbar visibility. It is a simple text file containing statements of the form:
variable: value
It is read at program start and written when preferences are saved and at program exit. It is also written and read whenever you switch to a different profile.
This file contains common GUI settings, such as recently opened capture files, recently used filters, and window geometries. It is a simple text file containing statements of the form:
variable: value
It is read at program start and written when preferences are saved and at program exit.
Wireshark uses the services files to translate port numbers into names.
At program start, if there is a services file in the global configuration folder, it is read first. Then, if there is a services file in the personal configuration folder, that is read; if there is an entry for a given port number in both files, the setting in the personal services file overrides the entry in the global services file. The format is that of the standard services(5) file on UNIX-compatible systems.
An example is:
mydns 5045/udp # My own Domain Name Server mydns 5045/tcp # My own Domain Name Server
In earlier versions of Wireshark, official information from the IANA
Service Name and Transport Protocol Port Number Registry was distributed
in this format as the services file in the global configuration folder.
In current versions of Wireshark, this information is compiled into the
program to speed startup, but if a file is present in the global configuration
folder it is still read, and can be used to supplement or replace the official
data just as the personal file does. The compiled-in information can be
written out in this format as a report with tshark -G services.
The settings from these files are read in at program start and never written by Wireshark.
Wireshark uses the ss7pcs file to translate SS7 point codes to node names.
At program start, if there is a ss7pcs file in the personal configuration folder, it is read.
Each line in this file consists of one network indicator followed by a dash followed by a point code in decimal and a node name separated by whitespace or tab.
An example is:
2-1234 MyPointCode1
The settings from this file are read in at program start and never written by Wireshark.
Wireshark uses the subnets file to translate an IPv4 address into a subnet name. If no exact match from a hosts file or from DNS is found, Wireshark will attempt a partial match for the subnet of the address.
At program start, if there is a subnets file in the personal configuration folder, it is read first. Then, if there is a subnets file in the global configuration folder, that is read; if there is a preference set in both files, the setting in the global preferences file overrides the setting in the personal preference file.
Each line in one of these files consists of an IPv4 address, a subnet mask length separated only by a “/” and a name separated by whitespace. While the address must be a full IPv4 address, any values beyond the mask length are subsequently ignored.
An example is:
# Comments must be prepended by the # sign! 192.168.0.0/24 ws_test_network
A partially matched name will be printed as “subnet-name.remaining-address”. For example, “192.168.0.1” under the subnet above would be printed as “ws_test_network.1”; if the mask length above had been 16 rather than 24, the printed address would be “ws_test_network.0.1”.
The settings from these files are read in at program start and never written by Wireshark.
The subnets file also changes the behavior of the Endpoints and Conversations Statistics dialogs for the IPv4 protocol when the IPv4 user preference Aggregate subnets in Statistics Dialogs is enabled. In this case, when an IPv4 address matches a subnet, the statistics dialog will show this subnet instead of the IPv4 address.
Wireshark uses the vlans file to translate VLAN tag IDs into names.
If there is a vlans file in the currently active profile folder, it is used. Otherwise, the vlans file in the personal configuration folder is used.
Each line in this file consists of one VLAN tag ID and a describing name separated by whitespace or tab.
An example is:
123 Server-LAN 2049 HR-Client-LAN
The settings from this file are read in at program start or when changing the active profile and are never written by Wireshark.
At program start, if there is a wka file in the global configuration folder, it is read.
The entries in this file are used to translate MAC addresses and MAC address prefixes into names. The format is that of the manuf file. This file is distributed with Wireshark, and contains data assembled from various non IEEE but respected sources.
The settings from this file are read in at program start and never written by Wireshark.