B.3. Configuration Files

• The personal configuration folder for Wireshark is the Wireshark sub-folder of that folder, i.e. APPDATA\Wireshark.
• The global configuration folder for Wireshark is the Wireshark program folder and is also used as the system configuration folder.

• The personal configuration folder is XDG_CONFIG_HOME/wireshark. For backwards compatibility with Wireshark before 2.2, if XDG_CONFIG_HOME/wireshark does not exist and $HOME/.wireshark is present, then the latter will be used.
• If you are using macOS and you are running a copy of Wireshark installed as an application bundle, the global configuration folder is APPDIR/Contents/Resources/share/wireshark. Otherwise, the global configuration folder is INSTALLDIR/share/wireshark.
• The /etc folder is the system configuration folder. The folder actually used on your system may vary, maybe something like: /usr/local/etc.

Table B.1. Configuration files overview

preferences

This file contains your Wireshark preferences, including defaults for capturing and displaying packets. It is a simple text file containing statements of the form:

variable: value

At program start, if there is a preferences file in the global configuration folder, it is read first. Then, if there is a preferences file in the personal configuration folder, that is read; if there is a preference set in both files, the setting in the personal preferences file overrides the setting in the global preference file.

If you press the Save button in the “Preferences” dialog box, all the current settings are written to the personal preferences file.

recent

This file contains various GUI related settings like the main window position and size, the recent files list and such. It is a simple text file containing statements of the form:

variable: value

It is read at program start and written at program exit.

cfilters

This file contains all the capture filters that you have defined and saved. It consists of one or more lines, where each line has the following format:

"<filter name>" <filter string>

At program start, if there is a cfilters file in the personal configuration folder, it is read. If there isn’t a cfilters file in the personal configuration folder, then, if there is a cfilters file in the global configuration folder, it is read.

When you press the Save button in the “Capture Filters” dialog box, all the current capture filters are written to the personal capture filters file.

dfilters

This file contains all the display filters that you have defined and saved. It consists of one or more lines, where each line has the following format:

"<filter name>" <filter string>

At program start, if there is a dfilters file in the personal configuration folder, it is read. If there isn’t a dfilters file in the personal configuration folder, then, if there is a dfilters file in the global configuration folder, it is read.

When you press the Save button in the “Display Filters” dialog box, all the current capture filters are written to the personal display filters file.

colorfilters

This file contains all the color filters that you have defined and saved. It consists of one or more lines, where each line has the following format:

@<filter name>@<filter string>@[<bg RGB(16-bit)>][<fg RGB(16-bit)>]

At program start, if there is a colorfilters file in the personal configuration folder, it is read. If there isn’t a colorfilters file in the personal configuration folder, then, if there is a colorfilters file in the global configuration folder, it is read.

Wwhen you press the Save button in the “Coloring Rules” dialog box, all the current color filters are written to the personal color filters file.

disabled_protos

Each line in this file specifies a disabled protocol name. The following are some examples:

tcp
udp

At program start, if there is a disabled_protos file in the global configuration folder, it is read first. Then, if there is a disabled_protos file in the personal configuration folder, that is read; if there is an entry for a protocol set in both files, the setting in the personal disabled protocols file overrides the setting in the global disabled protocols file.

When you press the Save button in the “Enabled Protocols” dialog box, the current set of disabled protocols is written to the personal disabled protocols file.

ethers

When Wireshark is trying to translate an hardware MAC address to a name, it consults the ethers file in the personal configuration folder first. If the address is not found in that file, Wireshark consults the ethers file in the system configuration folder.

Each line in these files consists of one hardware address and name separated by whitespace. The digits of hardware addresses are separated by colons (:), dashes (-) or periods(.). The following are some examples:

ff-ff-ff-ff-ff-ff    Broadcast
c0-00-ff-ff-ff-ff    TR_broadcast
00.2b.08.93.4b.a1    Freds_machine

The settings from this file are read in when a MAC address is to be translated to a name, and never written by Wireshark.

manuf

At program start, if there is a manuf file in the global configuration folder, it is read.

The entries in this file are used to translate the first three bytes of an Ethernet address into a manufacturers name. This file has the same format as the ethers file, except addresses are three bytes long.

An example is:

00:00:01    Xerox                  # XEROX CORPORATION

The settings from this file are read in at program start and never written by Wireshark.

hosts

Wireshark uses the entries in the hosts files to translate IPv4 and IPv6 addresses into names.

At program start, if there is a hosts file in the global configuration folder, it is read first. Then, if there is a hosts file in the personal configuration folder, that is read; if there is an entry for a given IP address in both files, the setting in the personal hosts file overrides the entry in the global hosts file.

This file has the same format as the usual /etc/hosts file on Unix systems.

An example is:

# Comments must be prepended by the # sign!
192.168.0.1 homeserver

The settings from this file are read in at program start and never written by Wireshark.

services

Wireshark uses the services files to translate port numbers into names.

At program start, if there is a services file in the global configuration folder, it is read first. Then, if there is a services file in the personal configuration folder, that is read; if there is an entry for a given port number in both files, the setting in the personal hosts file overrides the entry in the global hosts file.

An example is:

mydns       5045/udp     # My own Domain Name Server
mydns       5045/tcp     # My own Domain Name Server

The settings from these files are read in at program start and never written by Wireshark.

subnets

Wireshark uses the subnets files to translate an IPv4 address into a subnet name. If no exact match from a hosts file or from DNS is found, Wireshark will attempt a partial match for the subnet of the address.

At program start, if there is a subnets file in the personal configuration folder, it is read first. Then, if there is a subnets file in the global configuration folder, that is read; if there is a preference set in both files, the setting in the global preferences file overrides the setting in the personal preference file.

Each line in one of these files consists of an IPv4 address, a subnet mask length separated only by a / and a name separated by whitespace. While the address must be a full IPv4 address, any values beyond the mask length are subsequently ignored.

An example is:

# Comments must be prepended by the # sign!
192.168.0.0/24 ws_test_network

A partially matched name will be printed as “subnet-name.remaining-address”. For example, “192.168.0.1” under the subnet above would be printed as “ws_test_network.1"; if the mask length above had been 16 rather than 24, the printed address would be ``ws_test_network.0.1”.

The settings from these files are read in at program start and never written by Wireshark.

ipxnets

When Wireshark is trying to translate an IPX network number to a name, it consults the ipxnets file in the personal configuration folder first. If the address is not found in that file, Wireshark consults the ipxnets file in the system configuration folder.

An example is:

C0.A8.2C.00      HR
c0-a8-1c-00      CEO
00:00:BE:EF      IT_Server1
110f             FileServer3

The settings from this file are read in when an IPX network number is to be translated to a name, and never written by Wireshark.

vlans

Wireshark uses the vlans file to translate VLAN tag IDs into names.

At program start, if there is a vlans file in the personal configuration folder, it is read.

Each line in this file consists of one VLAN tag ID and a describing name separated by whitespace or tab.

An example is:

123     Server-LAN
2049    HR-Client-LAN

The settings from this file are read in at program start and never written by Wireshark.

Wireshark can use configuration files to create context-sensitive menu items for protocol detail items which will load help URLs in your web browser.

To create a protocol help file, create a folder named “protocol_help” in either the personal or global configuration folders. Then create a text file with the extension “.ini” in the “protocol_help” folder. The file must contain key-value pairs with the following sections:

Each protocol section must contain an “_OVERVIEW” key which will be used as the first menu item for the help source. Subsequent keys must match descriptions will be appended to the location.

Suppose the file C:\Users\sam.clemens\AppData\Roaming\Wireshark\protocol_help\wikipedia.ini contains the following:

# Wikipedia (en) protocol help file.

# Help file initialization
# source: The source of the help information, e.g. ``Inacon'' or ``Wikipedia"
# version: Currently unused. Must be ``1''.
# url_template: Template for generated URLs. See ``URL Data'' below.
[database]
source=Wikipedia
version=1
url_template=https://${language}.wikipedia.org/wiki/${PATH}

# Substitution data for the location template.
# Each occurrence of the keys below in the location template will be
# substituted with their corresponding values. For example, ``${license}"
# in the URL template above will be replaced with the value of ``license"
# below.
#
# PATH is reserved for the help paths below; do not specify it here.
[location data]
language = en

# Maps Wireshark protocol names to section names below. Each key MUST match
# a valid protocol name. Each value MUST have a matching section below.
[map]
tcp=TCP

# Mapped protocol sections.
# Keys must match protocol detail items descriptions.
[TCP]
_OVERVIEW=Transmission_Control_Protocol
Destination port=Transmission_Control_Protocol#TCP_ports
Source port=Transmission_Control_Protocol#TCP_ports

Right-clicking on a TCP protocol detail item will display a help menu item that displays the Wikipedia page for TCP. Right-clicking on the TCP destination or source ports will display additional help menu items that take you to the “TCP ports” section of the page.

example, the following configuration is functionally equivalent to the previous configuration:

[database]
source=Wikipedia
version=1
location=https://en.wikipedia.org/wiki/

[map]
tcp=TCP

[TCP]
_OVERVIEW=Transmission_Control_Protocol
Destination port=Transmission_Control_Protocol#TCP_ports
Source port=Transmission_Control_Protocol#TCP_ports