summaryrefslogtreecommitdiffstats
path: root/doc/wsug_src/wsug_files.adoc
diff options
context:
space:
mode:
Diffstat (limited to 'doc/wsug_src/wsug_files.adoc')
-rw-r--r--doc/wsug_src/wsug_files.adoc702
1 files changed, 702 insertions, 0 deletions
diff --git a/doc/wsug_src/wsug_files.adoc b/doc/wsug_src/wsug_files.adoc
new file mode 100644
index 00000000..7819d484
--- /dev/null
+++ b/doc/wsug_src/wsug_files.adoc
@@ -0,0 +1,702 @@
+// WSUG Appendix Files
+
+[#AppFiles]
+
+[appendix]
+== Files and Folders
+
+[#ChAppFilesCaptureFilesSection]
+
+=== Capture Files
+
+To understand which information will remain available after the captured packets
+are saved to a capture file, it’s helpful to know a bit about the capture file
+contents.
+
+Wireshark uses the
+link:https://github.com/pcapng/pcapng[pcapng] file
+format as the default format to save captured packets. It is very flexible
+but other tools may not support it.
+
+Wireshark also supports the
+{wireshark-wiki-url}/Development/LibpcapFileFormat[libpcap] file
+format. This is a much simpler format and is well established. However, it has
+some drawbacks: it’s not extensible and lacks some information that would be
+really helpful (e.g., being able to add a comment to a packet such as “the
+problems start here” would be really nice).
+
+In addition to the libpcap format, Wireshark supports several different capture
+file formats. However, the problems described above also applies for these
+formats.
+
+[#ChIOFileContentSection]
+
+==== Libpcap File Contents
+
+At the start of each libpcap capture file some basic information is stored like
+a magic number to identify the libpcap file format. The most interesting
+information of this file start is the link layer type (Ethernet, 802.11,
+MPLS, etc.).
+
+The following data is saved for each packet:
+
+* The timestamp with millisecond resolution
+
+* The packet length as it was “on the wire”
+
+* The packet length as it’s saved in the file
+
+* The packet’s raw bytes
+
+A detailed description of the libpcap file format can be found at
+{wireshark-wiki-url}Development/LibpcapFileFormat
+
+[#ChIOFileNotContentSection]
+
+==== Not Saved in the Capture File
+
+You should also know the things that are _not saved_ in capture files:
+
+* Current selections (selected packet, ...)
+
+* Name resolution information. See <<ChAdvNameResolutionSection>> for details
++
+--
+Pcapng files can optionally save name resolution information. Libpcap files
+can’t. Other file formats have varying levels of support.
+--
+
+* The number of packets dropped while capturing
+
+* Packet marks set with “Edit/Mark Packet”
+
+* Time references set with “Edit/Time Reference”
+
+* The current display filter
+
+[#ChConfigurationPluginFolders]
+
+=== Configuration File and Plugin Folders
+
+To match the different policies for Unix-like systems and Windows, and
+different policies used on different Unix-like systems, the folders
+containing configuration files and plugins are different on different
+platforms. We indicate the location of the top-level folders under
+which configuration files and plugins are stored here, giving them
+placeholder names independent of their actual location, and use those
+names later when giving the location of the folders for configuration
+files and plugins.
+
+[TIP]
+====
+A list of the folders Wireshark actually uses can be found under the _Folders_
+tab in the dialog box shown when you select _About Wireshark_ from the _Help_
+menu.
+====
+
+==== Folders on Windows
+
+_%APPDATA%_ is the personal application data folder, e.g.:
+_C:\Users{backslash}**username**\AppData\Roaming\Wireshark_ (details can be
+found at: <<ChWindowsProfiles>>).
+
+_WIRESHARK_ is the Wireshark program folder, e.g.: _C:\Program
+Files\Wireshark_.
+
+==== Folders on Unix-like systems
+
+_$XDG_CONFIG_HOME_ is the folder for user-specific configuration files.
+It’s usually _$HOME/.config_, where _$HOME_ is the user’s home folder, which
+is usually something such as _/home/**username**_, or
+_/Users/**username**_ on macOS.
+
+If you are using macOS and you are running a copy of Wireshark
+installed as an application bundle, _APPDIR_ is the top-level directory
+of the Wireshark application bundle, which will typically be
+_/Applications/Wireshark.app_. Otherwise, _INSTALLDIR_ is the top-level
+directory under which reside the subdirectories in which components of
+Wireshark are installed. This will typically be `/usr` if Wireshark is
+bundled with the system (for example, provided as a package with a Linux
+distribution) and _/usr/local_ if, for example, you’ve built Wireshark
+from source and installed it.
+
+[#ChAppFilesConfigurationSection]
+
+=== Configuration Files
+
+Wireshark uses a number of configuration files while it is running. Some of these
+reside in the personal configuration folder and are used to maintain information
+between runs of Wireshark, while some of them are maintained in system areas.
+
+The content format of the configuration files is the same on all platforms.
+
+On Windows:
+
+* The personal configuration folder for Wireshark is the
+_Wireshark_ sub-folder of that folder, i.e., _%APPDATA%\Wireshark_.
+
+* The global configuration folder for Wireshark is the Wireshark program
+folder and is also used as the system configuration folder.
+
+On Unix-like systems:
+
+* The personal configuration folder is
+_$XDG_CONFIG_HOME/wireshark_. For backwards compatibility with
+Wireshark before 2.2, if _$XDG_CONFIG_HOME/wireshark_ does not
+exist and _$HOME/.wireshark_ is present, then the latter will be used.
+
+* If you are using macOS and you are running a copy of Wireshark
+installed as an application bundle, the global configuration folder is
+_APPDIR/Contents/Resources/share/wireshark_. Otherwise, the
+global configuration folder is _INSTALLDIR/share/wireshark_.
+
+* The _/etc_ folder is the system configuration folder. The folder
+actually used on your system may vary, maybe something like:
+_/usr/local/etc_.
+
+[#AppFilesTabFolders]
+.Configuration files overview
+[options="header"]
+|===
+|File/Folder|Description
+|_cfilters_|Capture filters.
+|_colorfilters_|Coloring rules.
+|__dfilter_buttons__|Display filter buttons.
+|_dfilters_|Display filters.
+|__disabled_protos__|Disabled protocols.
+|__dmacros__|Display filter macros.
+|_ethers_|Ethernet name resolution.
+|_hosts_|IPv4 and IPv6 name resolution.
+|_ipxnets_|IPX name resolution.
+|_manuf_|Ethernet name resolution.
+|_preferences_|Settings from the Preferences dialog box.
+|_recent_|Per-profile GUI settings.
+|__recent_common__|Common GUI settings.
+|_services_|Network services.
+|_ss7pcs_|SS7 point code resolution.
+|_subnets_|IPv4 subnet name resolution.
+|_vlans_|VLAN ID name resolution.
+|_wka_|Well-known MAC addresses.
+|===
+
+[discrete]
+===== File contents
+
+cfilters::
++
+--
+This file contains all the capture filters that you have defined and saved. It
+consists of one or more lines, where each line has the following format:
+
+----
+"<filter name>" <filter string>
+----
+
+At program start, if there is a _cfilters_ file in the personal
+configuration folder, it is read. If there isn’t a _cfilters_ file in
+the personal configuration folder, then, if there is a _cfilters_ file
+in the global configuration folder, it is read.
+
+When you press the Save button in the “Capture Filters” dialog box,
+all the current capture filters are written to the personal capture
+filters file.
+--
+
+colorfilters::
++
+--
+This file contains all the color filters that you have defined and saved. It
+consists of one or more lines, where each line has the following format:
+
+----
+@<filter name>@<filter string>@[<bg RGB(16-bit)>][<fg RGB(16-bit)>]
+----
+
+At program start, if there is a _colorfilters_ file in the personal
+configuration folder, it is read. If there isn’t a _colorfilters_ file
+in the personal configuration folder, then, if there is a _colorfilters_
+file in the global configuration folder, it is read.
+
+When you press the Save button in the “Coloring Rules” dialog box,
+all the current color filters are written to the personal color filters
+file.
+--
+
+dfilter_buttons::
++
+--
+This file contains all the display filter buttons that you have defined and
+saved. It consists of one or more lines, where each line has the following
+format:
+
+----
+"TRUE/FALSE","<button label>","<filter string>","<comment string>"
+----
+
+where the first field is TRUE if the button is enabled (shown).
+
+At program start, if there is a __dfilter_buttons__ file in the personal
+configuration folder, it is read. If there isn’t a __dfilter_buttons__ file
+in the personal configuration folder, then, if there is a __dfilter_buttons__
+file in the global configuration folder, it is read.
+
+When you save any changes to the filter buttons, all the current display
+filter buttons are written to the personal display filter buttons file.
+--
+
+dfilters::
++
+--
+This file contains all the display filters that you have defined and saved. It
+consists of one or more lines, where each line has the following format:
+
+----
+"<filter name>" <filter string>
+----
+
+At program start, if there is a _dfilters_ file in the personal
+configuration folder, it is read. If there isn’t a _dfilters_ file in
+the personal configuration folder, then, if there is a _dfilters_ file
+in the global configuration folder, it is read.
+
+When you press the Save button in the “Display Filters” dialog box,
+all the current display filters are written to the personal display
+filters file.
+--
+
+disabled_protos::
++
+--
+Each line in this file specifies a disabled protocol name. The following are
+some examples:
+
+----
+tcp
+udp
+----
+
+At program start, if there is a __disabled_protos__ file in the global
+configuration folder, it is read first. Then, if there is a
+__disabled_protos__ file in the personal configuration folder, that is
+read; if there is an entry for a protocol set in both files, the setting
+in the personal disabled protocols file overrides the setting in the
+global disabled protocols file.
+
+When you press the Save button in the “Enabled Protocols” dialog box,
+the current set of disabled protocols is written to the personal
+disabled protocols file.
+--
+
+dmacros::
++
+--
+This file contains all the display filter macros that you have defined and saved.
+It consists of one or more lines, where each line has the following format:
+
+----
+"<macro name>" <macro expression>
+----
+
+At program start, if there is a __dmacros__ file in the personal
+configuration folder, it is read. If there isn’t a __dmacros__ file
+in the personal configuration folder, then, if there is a __dmacros__
+file in the global configuration folder, it is read.
+
+In versions of Wireshark prior to 4.4, the display filter macros were
+stored in a __dfilter_macros__ file with a somewhat different format,
+a <<ChUserTable,UAT>>. At program start if the __dmacros__ file
+is not found a __dfilter_macros__ file is looked for in the personal and
+global configuration folders and converted to the new format.
+
+When you press the Save button in the "Display Filter Macros" dialog box,
+all the current display filter macros are written to the personal display
+filter macros file.
+
+More information about Display Filter Macros is available in
+<<ChWorkDefineFilterMacrosSection>>
+--
+
+ethers::
++
+--
+When Wireshark is trying to translate a hardware MAC address to
+a name, it consults the _ethers_ file in the personal configuration
+folder first. If the address is not found in that file, Wireshark
+consults the _ethers_ file in the system configuration folder.
+
+This file has a similar format to the _/etc/ethers_ file on some Unix-like systems.
+Each line in these files consists of one hardware address and name separated by
+whitespace (tabs or spaces). The hardware addresses are expressed as pairs
+of hexadecimal digits separated by colons (:), dashes (-), or periods(.), with
+the same separator used in the entire address. A `#` can be used to indicate
+a comment that extends to the rest of the line. NIS lookups, as in some
+UNIX-like systems, are not supported. The following are some examples:
+
+----
+ff-ff-ff-ff-ff-ff Broadcast
+c0-00-ff-ff-ff-ff TR_broadcast
+00.2b.08.93.4b.a1 Freds_machine
+----
+
+The settings from this file are read in when a MAC address is to be
+translated to a name, and never written by Wireshark.
+--
+
+hosts::
++
+--
+Wireshark uses the entries in the _hosts_ files to translate IPv4 and
+IPv6 addresses into names.
+
+At program start, if there is a _hosts_ file in the global configuration
+folder, it is read first. Then, if there is a _hosts_ file in the
+personal configuration folder, that is read; if there is an entry for a
+given IP address in both files, the setting in the personal hosts file
+overrides the entry in the global hosts file.
+
+This file has the same format as the usual _/etc/hosts_ file on Unix systems.
+
+An example is:
+
+----
+# Comments must be prepended by the # sign!
+192.168.0.1 homeserver
+----
+
+The settings from this file are read in at program start and never written by
+Wireshark.
+--
+
+ipxnets::
++
+--
+When Wireshark is trying to translate an IPX network number to
+a name, it consults the _ipxnets_ file in the personal configuration
+folder first. If the address is not found in that file, Wireshark
+consults the _ipxnets_ file in the system configuration folder.
+
+
+An example is:
+----
+C0.A8.2C.00 HR
+c0-a8-1c-00 CEO
+00:00:BE:EF IT_Server1
+110f FileServer3
+----
+
+The settings from this file are read in when an IPX network number is to
+be translated to a name, and never written by Wireshark.
+--
+
+manuf::
++
+--
+At program start, if there is a _manuf_ file in the global configuration
+folder, it is read first. Then, if there is a _manuf_ file in the personal
+configuration folder, that is read; if there is an entry for a given address
+prefix in both files, the setting in the personal file overrides the entry
+in the global file.
+
+The entries in this file are used to translate MAC address prefixes into short and long manufacturer names.
+Each line consists of a MAC address prefix followed by an abbreviated manufacturer name and the full manufacturer name.
+Prefixes 24 bits long by default and may be followed by an optional length.
+Note that this is not the same format as the _ethers_ file, which does not
+allow prefix lengths.
+
+Examples are:
+
+----
+00:00:01 Xerox Xerox Corporation
+00:50:C2:00:30:00/36 Microsof Microsoft
+----
+
+In earlier versions of Wireshark, official information from the IEEE
+Registration Authority was distributed in this format as the _manuf_ file
+in the global configuration folder. In current versions of Wireshark, this
+information is compiled into the program to speed startup, but if a file
+is present in the global configuration folder it is still read, and can
+be used to supplement or replace the official data just as the personal
+file does. The compiled-in information can be written out in this format
+as a report with `tshark -G manuf`.
+
+The settings from this file are read in at program start and never written by Wireshark.
+--
+
+preferences::
++
+--
+This file contains your Wireshark preferences, including defaults for capturing
+and displaying packets. It is a simple text file containing statements of the
+form:
+
+----
+variable: value
+----
+
+At program start, if there is a _preferences_ file in the global
+configuration folder, it is read first. Then, if there is a
+_preferences_ file in the personal configuration folder, that is read;
+if there is a preference set in both files, the setting in the personal
+preferences file overrides the setting in the global preference file.
+
+If you press the Save button in the “Preferences” dialog box, all the
+current settings are written to the personal preferences file.
+--
+
+recent::
++
+--
+This file contains GUI settings that are specific to the current profile, such as column widths and toolbar visibility.
+It is a simple text file containing statements of the form:
+
+----
+variable: value
+----
+
+It is read at program start and written when preferences are saved and at program exit.
+It is also written and read whenever you switch to a different profile.
+--
+
+recent_common::
++
+--
+This file contains common GUI settings, such as recently opened capture files, recently used filters, and window geometries.
+It is a simple text file containing statements of the form:
+
+----
+variable: value
+----
+
+It is read at program start and written when preferences are saved and at program exit.
+--
+
+services::
++
+--
+Wireshark uses the _services_ files to translate port numbers into names.
+
+At program start, if there is a _services_ file in the global
+configuration folder, it is read first. Then, if there is a _services_
+file in the personal configuration folder, that is read; if there is an
+entry for a given port number in both files, the setting in the personal
+_services_ file overrides the entry in the global _services_ file.
+The format is that of the standard _services(5)_ file on UNIX-compatible
+systems.
+
+An example is:
+
+----
+mydns 5045/udp # My own Domain Name Server
+mydns 5045/tcp # My own Domain Name Server
+----
+
+In earlier versions of Wireshark, official information from the IANA
+Service Name and Transport Protocol Port Number Registry was distributed
+in this format as the _services_ file in the global configuration folder.
+In current versions of Wireshark, this information is compiled into the
+program to speed startup, but if a file is present in the global configuration
+folder it is still read, and can be used to supplement or replace the official
+data just as the personal file does. The compiled-in information can be
+written out in this format as a report with `tshark -G services`.
+
+The settings from these files are read in at program start and never
+written by Wireshark.
+--
+
+ss7pcs::
++
+--
+Wireshark uses the _ss7pcs_ file to translate SS7 point codes to node names.
+
+At program start, if there is a _ss7pcs_ file in the personal
+configuration folder, it is read.
+
+Each line in this file consists of one network indicator followed by a dash followed by a point code in decimal and a node name separated by whitespace or tab.
+
+An example is:
+----
+2-1234 MyPointCode1
+----
+
+The settings from this file are read in at program start and never written by
+Wireshark.
+--
+
+subnets::
++
+--
+Wireshark uses the __subnets__ file to translate an IPv4 address into a
+subnet name. If no exact match from a __hosts__ file or from DNS is
+found, Wireshark will attempt a partial match for the subnet of the
+address.
+
+At program start, if there is a _subnets_ file in the personal
+configuration folder, it is read first. Then, if there is a _subnets_
+file in the global configuration folder, that is read; if there is a
+preference set in both files, the setting in the global preferences file
+overrides the setting in the personal preference file.
+
+Each line in one of these files consists of an IPv4 address, a subnet
+mask length separated only by a “/” and a name separated by whitespace.
+While the address must be a full IPv4 address, any values beyond the
+mask length are subsequently ignored.
+
+An example is:
+----
+# Comments must be prepended by the # sign!
+192.168.0.0/24 ws_test_network
+----
+
+A partially matched name will be printed as “subnet-name.remaining-address”.
+For example, “192.168.0.1” under the subnet above would be printed as
+“ws_test_network.1”; if the mask length above had been 16 rather than 24, the
+printed address would be “ws_test_network.0.1”.
+
+The settings from these files are read in at program start and never
+written by Wireshark.
+
+The __subnets__ file also changes the behavior of the Endpoints and
+Conversations Statistics dialogs for the IPv4 protocol when the IPv4 user
+preference _Aggregate subnets in Statistics Dialogs_ is enabled. In this
+case, when an IPv4 address matches a subnet, the statistics dialog will
+show this subnet instead of the IPv4 address.
+--
+
+vlans::
++
+--
+Wireshark uses the _vlans_ file to translate VLAN tag IDs into names.
+
+If there is a _vlans_ file in the currently active profile folder, it is used. Otherwise, the _vlans_ file in the personal configuration folder is used.
+
+Each line in this file consists of one VLAN tag ID and a describing name separated by whitespace or tab.
+
+An example is:
+----
+123 Server-LAN
+2049 HR-Client-LAN
+----
+
+The settings from this file are read in at program start or when changing
+the active profile and are never written by Wireshark.
+--
+
+wka::
++
+--
+At program start, if there is a _wka_ file in the global configuration folder,
+it is read.
+
+The entries in this file are used to translate MAC addresses and MAC address
+prefixes into names. The format is that of the _manuf_ file. This file is
+distributed with Wireshark, and contains data assembled from various non IEEE
+but respected sources.
+
+The settings from this file are read in at program start and never written by Wireshark.
+--
+
+[#ChPluginFolders]
+
+=== Plugin folders
+
+Wireshark supports plugins for various purposes. Plugins can either be
+scripts written in Lua or code written in C or {cpp} and compiled to
+machine code.
+
+Wireshark looks for plugins in both a personal plugin folder and a
+global plugin folder. Lua plugins are stored in the plugin folders;
+compiled plugins are stored in subfolders of the plugin folders, with
+the subfolder name being the Wireshark minor version number (X.Y). There is
+another hierarchical level for each Wireshark plugin type (libwireshark,
+libwiretap and codecs). So for example the location for a libwireshark plugin
+_foo.so_ (_foo.dll_ on Windows) would be _PLUGINDIR/X.Y/epan_
+(libwireshark used to be called libepan; the other folder names are _codecs_
+and _wiretap_).
+
+On Windows:
+
+* The personal plugin folder is _%APPDATA%\Wireshark\plugins_.
+
+* The global plugin folder is _WIRESHARK\plugins_.
+
+On Unix-like systems:
+
+* The personal plugin folder is _~/.local/lib/wireshark/plugins_.
+
+[NOTE]
+====
+To provide better support for binary plugins this folder changed in Wireshark 2.5.
+It is recommended to use the new folder but *for lua scripts only* you may
+continue to use _$XDG_CONFIG_HOME/wireshark/plugins_ for backward-compatibility.
+This is useful to have older versions of Wireshark installed side-by-side. In case
+of duplicate file names between old and new the new folder wins.
+====
+
+* If you are running on macOS and Wireshark is installed as an
+application bundle, the global plugin folder is
+_%APPDIR%/Contents/PlugIns/wireshark_, otherwise it’s
+_INSTALLDIR/lib/wireshark/plugins_.
+
+[#ChWindowsFolder]
+
+=== Windows folders
+
+Here you will find some details about the folders used in Wireshark on different
+Windows versions.
+
+As already mentioned, you can find the currently used folders in the “About
+Wireshark” dialog.
+
+[#ChWindowsProfiles]
+
+==== Windows profiles
+
+Windows uses some special directories to store user configuration files which
+define the “user profile”. This can be confusing, as the default directory
+location changed from Windows version to version and might also be different for
+English and internationalized versions of Windows.
+
+[NOTE]
+====
+If you’ve upgraded to a new Windows version, your profile might be kept in the
+former location. The defaults mentioned here might not apply.
+====
+
+The following guides you to the right place where to look for Wireshark’s
+profile data.
+
+Windows 10, Windows 8.1, Windows 8, Windows 7, Windows Vista, and associated server editions::
+_C:\Users{backslash}**username**\AppData\Roaming\Wireshark_.
+
+Windows XP and Windows Server 2003 footnote:historical[No longer supported by Wireshark. For historical reference only.]::
+_C:\Documents and Settings{backslash}**username**\Application Data_. “Documents and
+Settings” and “Application Data” might be internationalized.
+
+[#ChWindowsRoamingProfiles]
+
+==== Windows roaming profiles
+
+Some larger Windows environments use roaming profiles. If this is the case the
+configurations of all programs you use won’t be saved on your local hard drive.
+They will be stored on the domain server instead.
+
+Your settings will travel with you from computer to computer with one exception.
+The “Local Settings” folder in your profile data (typically something like:
+_C:\Documents and Settings{backslash}**username**\Local Settings_) will not be
+transferred to the domain server. This is the default for temporary capture
+files.
+
+[#ChWindowsTempFolder]
+
+==== Windows temporary folder
+
+Wireshark uses the folder which is set by the TMPDIR or TEMP environment
+variable. This variable will be set by the Windows installer.
+
+Windows 10, Windows 8.1, Windows 8, Windows 7, Windows Vista, and associated server editions::
+_C:\Users{backslash}**username**\AppData\Local\Temp_
+
+Windows XP and Windows Server 2003 footnote:historical[]::
+_C:\Documents and Settings{backslash}**username**\Local Settings\Temp_
+
+// End of WSUG Appendix Files