1 files changed, 88 insertions, 33 deletions
diff --git a/docbook/wsug_src/wsug_files.adoc b/doc/wsug_src/wsug_files.adoc
index 3c4364bb..7819d484 100644
--- a/docbook/wsug_src/wsug_files.adoc
+++ b/doc/wsug_src/wsug_files.adoc
@@ -19,7 +19,7 @@ format as the default format to save captured packets. It is very flexible
 but other tools may not support it.
 
 Wireshark also supports the
-link:https://gitlab.com/wireshark/wireshark/-/wikis/Development/LibpcapFileFormat[libpcap] file
+{wireshark-wiki-url}/Development/LibpcapFileFormat[libpcap] file
 format. This is a much simpler format and is well established. However, it has
 some drawbacks: it’s not extensible and lacks some information that would be
 really helpful (e.g., being able to add a comment to a packet such as “the
@@ -49,7 +49,7 @@ The following data is saved for each packet:
 * The packet’s raw bytes
 
 A detailed description of the libpcap file format can be found at
-https://gitlab.com/wireshark/wireshark/-/wikis/Development/LibpcapFileFormat
+{wireshark-wiki-url}Development/LibpcapFileFormat
 
 [#ChIOFileNotContentSection]
 
@@ -162,9 +162,9 @@ _/usr/local/etc_.
 |_cfilters_|Capture filters.
 |_colorfilters_|Coloring rules.
 |__dfilter_buttons__|Display filter buttons.
-|__dfilter_macros__|Display filter macros.
 |_dfilters_|Display filters.
 |__disabled_protos__|Disabled protocols.
+|__dmacros__|Display filter macros.
 |_ethers_|Ethernet name resolution.
 |_hosts_|IPv4 and IPv6 name resolution.
 |_ipxnets_|IPX name resolution.
@@ -176,6 +176,7 @@ _/usr/local/etc_.
 |_ss7pcs_|SS7 point code resolution.
 |_subnets_|IPv4 subnet name resolution.
 |_vlans_|VLAN ID name resolution.
+|_wka_|Well-known MAC addresses.
 |===
 
 [discrete]
@@ -243,29 +244,6 @@ When you save any changes to the filter buttons, all the current display
 filter buttons are written to the personal display filter buttons file.
 --
 
-dfilter_macros::
-+
---
-This file contains all the display filter macros that you have defined and saved.
-It consists of one or more lines, where each line has the following format:
-
-----
-"<macro name>" <filter string>
-----
-
-At program start, if there is a __dfilter_macros__ file in the personal
-configuration folder, it is read. If there isn’t a __dfilter_macros__ file
-in the personal configuration folder, then, if there is a __dfilter_macros__
-file in the global configuration folder, it is read.
-
-When you press the Save button in the "Display Filter Macros" dialog box,
-all the current display filter macros are written to the personal display
-filter macros file.
-
-More information about Display Filter Macros is available in
-<<ChDisplayFilterMacrosSection>>
---
-
 dfilters::
 +
 --
@@ -309,6 +287,35 @@ the current set of disabled protocols is written to the personal
 disabled protocols file.
 --
 
+dmacros::
++
+--
+This file contains all the display filter macros that you have defined and saved.
+It consists of one or more lines, where each line has the following format:
+
+----
+"<macro name>" <macro expression>
+----
+
+At program start, if there is a __dmacros__ file in the personal
+configuration folder, it is read. If there isn’t a __dmacros__ file
+in the personal configuration folder, then, if there is a __dmacros__
+file in the global configuration folder, it is read.
+
+In versions of Wireshark prior to 4.4, the display filter macros were
+stored in a __dfilter_macros__ file with a somewhat different format,
+a <<ChUserTable,UAT>>. At program start if the __dmacros__ file
+is not found a __dfilter_macros__ file is looked for in the personal and
+global configuration folders and converted to the new format.
+
+When you press the Save button in the "Display Filter Macros" dialog box,
+all the current display filter macros are written to the personal display
+filter macros file.
+
+More information about Display Filter Macros is available in
+<<ChWorkDefineFilterMacrosSection>>
+--
+
 ethers::
 +
 --
@@ -317,10 +324,13 @@ a name, it consults the _ethers_ file in the personal configuration
 folder first.  If the address is not found in that file, Wireshark
 consults the _ethers_ file in the system configuration folder.
 
-This file has the same format as the _/etc/ethers_ file on some Unix-like systems.
+This file has a similar format to the _/etc/ethers_ file on some Unix-like systems.
 Each line in these files consists of one hardware address and name separated by
-whitespace. The digits of hardware addresses are separated by colons (:), dashes
-(-) or periods(.). The following are some examples:
+whitespace (tabs or spaces). The hardware addresses are expressed as pairs
+of hexadecimal digits separated by colons (:), dashes (-), or periods(.), with
+the same separator used in the entire address. A `#` can be used to indicate
+a comment that extends to the rest of the line. NIS lookups, as in some
+UNIX-like systems, are not supported. The following are some examples:
 
 ----
 ff-ff-ff-ff-ff-ff    Broadcast
@@ -381,12 +391,17 @@ be translated to a name, and never written by Wireshark.
 manuf::
 +
 --
-At program start, if there is a _manuf_ file in the global configuration folder, it is read.
+At program start, if there is a _manuf_ file in the global configuration
+folder, it is read first.  Then, if there is a _manuf_ file in the personal
+configuration folder, that is read; if there is an entry for a given address
+prefix in both files, the setting in the personal file overrides the entry
+in the global file.
 
 The entries in this file are used to translate MAC address prefixes into short and long manufacturer names.
 Each line consists of a MAC address prefix followed by an abbreviated manufacturer name and the full manufacturer name.
 Prefixes 24 bits long by default and may be followed by an optional length.
-Note that this is not the same format as the _ethers_ file.
+Note that this is not the same format as the _ethers_ file, which does not
+allow prefix lengths.
 
 Examples are:
 
@@ -395,6 +410,15 @@ Examples are:
 00:50:C2:00:30:00/36      Microsof        Microsoft
 ----
 
+In earlier versions of Wireshark, official information from the IEEE
+Registration Authority was distributed in this format as the _manuf_ file
+in the global configuration folder. In current versions of Wireshark, this
+information is compiled into the program to speed startup, but if a file
+is present in the global configuration folder it is still read, and can
+be used to supplement or replace the official data just as the personal
+file does. The compiled-in information can be written out in this format
+as a report with `tshark -G manuf`.
+
 The settings from this file are read in at program start and never written by Wireshark.
 --
 
@@ -455,7 +479,9 @@ At program start, if there is a _services_ file in the global
 configuration folder, it is read first.  Then, if there is a _services_
 file in the personal configuration folder, that is read; if there is an
 entry for a given port number in both files, the setting in the personal
-hosts file overrides the entry in the global hosts file.
+_services_ file overrides the entry in the global _services_ file.
+The format is that of the standard _services(5)_ file on UNIX-compatible
+systems.
 
 An example is:
 
@@ -464,6 +490,15 @@ mydns       5045/udp     # My own Domain Name Server
 mydns       5045/tcp     # My own Domain Name Server
 ----
 
+In earlier versions of Wireshark, official information from the IANA
+Service Name and Transport Protocol Port Number Registry was distributed
+in this format as the _services_ file in the global configuration folder.
+In current versions of Wireshark, this information is compiled into the
+program to speed startup, but if a file is present in the global configuration
+folder it is still read, and can be used to supplement or replace the official
+data just as the personal file does. The compiled-in information can be
+written out in this format as a report with `tshark -G services`.
+
 The settings from these files are read in at program start and never
 written by Wireshark.
 --
@@ -490,7 +525,7 @@ Wireshark.
 subnets::
 +
 --
-Wireshark uses the __subnets__ files to translate an IPv4 address into a
+Wireshark uses the __subnets__ file to translate an IPv4 address into a
 subnet name.  If no exact match from a __hosts__ file or from DNS is
 found, Wireshark will attempt a partial match for the subnet of the
 address.
@@ -519,6 +554,12 @@ printed address would be “ws_test_network.0.1”.
 
 The settings from these files are read in at program start and never
 written by Wireshark.
+
+The __subnets__ file also changes the behavior of the Endpoints and
+Conversations Statistics dialogs for the IPv4 protocol when the IPv4 user
+preference _Aggregate subnets in Statistics Dialogs_ is enabled. In this
+case, when an IPv4 address matches a subnet, the statistics dialog will
+show this subnet instead of the IPv4 address.
 --
 
 vlans::
@@ -540,6 +581,20 @@ The settings from this file are read in at program start or when changing
 the active profile and are never written by Wireshark.
 --
 
+wka::
++
+--
+At program start, if there is a _wka_ file in the global configuration folder,
+it is read.
+
+The entries in this file are used to translate MAC addresses and MAC address
+prefixes into names. The format is that of the _manuf_ file. This file is
+distributed with Wireshark, and contains data assembled from various non IEEE
+but respected sources.
+
+The settings from this file are read in at program start and never written by Wireshark.
+--
+
 [#ChPluginFolders]
 
 === Plugin folders