// WSUG Appendix Files [#AppFiles] [appendix] == Files and Folders [#ChAppFilesCaptureFilesSection] === Capture Files To understand which information will remain available after the captured packets are saved to a capture file, it’s helpful to know a bit about the capture file contents. Wireshark uses the link:https://github.com/pcapng/pcapng[pcapng] file format as the default format to save captured packets. It is very flexible but other tools may not support it. Wireshark also supports the {wireshark-wiki-url}/Development/LibpcapFileFormat[libpcap] file format. This is a much simpler format and is well established. However, it has some drawbacks: it’s not extensible and lacks some information that would be really helpful (e.g., being able to add a comment to a packet such as “the problems start here” would be really nice). In addition to the libpcap format, Wireshark supports several different capture file formats. However, the problems described above also applies for these formats. [#ChIOFileContentSection] ==== Libpcap File Contents At the start of each libpcap capture file some basic information is stored like a magic number to identify the libpcap file format. The most interesting information of this file start is the link layer type (Ethernet, 802.11, MPLS, etc.). The following data is saved for each packet: * The timestamp with millisecond resolution * The packet length as it was “on the wire” * The packet length as it’s saved in the file * The packet’s raw bytes A detailed description of the libpcap file format can be found at {wireshark-wiki-url}Development/LibpcapFileFormat [#ChIOFileNotContentSection] ==== Not Saved in the Capture File You should also know the things that are _not saved_ in capture files: * Current selections (selected packet, ...) * Name resolution information. See <> for details + -- Pcapng files can optionally save name resolution information. Libpcap files can’t. Other file formats have varying levels of support. -- * The number of packets dropped while capturing * Packet marks set with “Edit/Mark Packet” * Time references set with “Edit/Time Reference” * The current display filter [#ChConfigurationPluginFolders] === Configuration File and Plugin Folders To match the different policies for Unix-like systems and Windows, and different policies used on different Unix-like systems, the folders containing configuration files and plugins are different on different platforms. We indicate the location of the top-level folders under which configuration files and plugins are stored here, giving them placeholder names independent of their actual location, and use those names later when giving the location of the folders for configuration files and plugins. [TIP] ==== A list of the folders Wireshark actually uses can be found under the _Folders_ tab in the dialog box shown when you select _About Wireshark_ from the _Help_ menu. ==== ==== Folders on Windows _%APPDATA%_ is the personal application data folder, e.g.: _C:\Users{backslash}**username**\AppData\Roaming\Wireshark_ (details can be found at: <>). _WIRESHARK_ is the Wireshark program folder, e.g.: _C:\Program Files\Wireshark_. ==== Folders on Unix-like systems _$XDG_CONFIG_HOME_ is the folder for user-specific configuration files. It’s usually _$HOME/.config_, where _$HOME_ is the user’s home folder, which is usually something such as _/home/**username**_, or _/Users/**username**_ on macOS. If you are using macOS and you are running a copy of Wireshark installed as an application bundle, _APPDIR_ is the top-level directory of the Wireshark application bundle, which will typically be _/Applications/Wireshark.app_. Otherwise, _INSTALLDIR_ is the top-level directory under which reside the subdirectories in which components of Wireshark are installed. This will typically be `/usr` if Wireshark is bundled with the system (for example, provided as a package with a Linux distribution) and _/usr/local_ if, for example, you’ve built Wireshark from source and installed it. [#ChAppFilesConfigurationSection] === Configuration Files Wireshark uses a number of configuration files while it is running. Some of these reside in the personal configuration folder and are used to maintain information between runs of Wireshark, while some of them are maintained in system areas. The content format of the configuration files is the same on all platforms. On Windows: * The personal configuration folder for Wireshark is the _Wireshark_ sub-folder of that folder, i.e., _%APPDATA%\Wireshark_. * The global configuration folder for Wireshark is the Wireshark program folder and is also used as the system configuration folder. On Unix-like systems: * The personal configuration folder is _$XDG_CONFIG_HOME/wireshark_. For backwards compatibility with Wireshark before 2.2, if _$XDG_CONFIG_HOME/wireshark_ does not exist and _$HOME/.wireshark_ is present, then the latter will be used. * If you are using macOS and you are running a copy of Wireshark installed as an application bundle, the global configuration folder is _APPDIR/Contents/Resources/share/wireshark_. Otherwise, the global configuration folder is _INSTALLDIR/share/wireshark_. * The _/etc_ folder is the system configuration folder. The folder actually used on your system may vary, maybe something like: _/usr/local/etc_. [#AppFilesTabFolders] .Configuration files overview [options="header"] |=== |File/Folder|Description |_cfilters_|Capture filters. |_colorfilters_|Coloring rules. |__dfilter_buttons__|Display filter buttons. |_dfilters_|Display filters. |__disabled_protos__|Disabled protocols. |__dmacros__|Display filter macros. |_ethers_|Ethernet name resolution. |_hosts_|IPv4 and IPv6 name resolution. |_ipxnets_|IPX name resolution. |_manuf_|Ethernet name resolution. |_preferences_|Settings from the Preferences dialog box. |_recent_|Per-profile GUI settings. |__recent_common__|Common GUI settings. |_services_|Network services. |_ss7pcs_|SS7 point code resolution. |_subnets_|IPv4 subnet name resolution. |_vlans_|VLAN ID name resolution. |_wka_|Well-known MAC addresses. |=== [discrete] ===== File contents cfilters:: + -- This file contains all the capture filters that you have defined and saved. It consists of one or more lines, where each line has the following format: ---- "" ---- At program start, if there is a _cfilters_ file in the personal configuration folder, it is read. If there isn’t a _cfilters_ file in the personal configuration folder, then, if there is a _cfilters_ file in the global configuration folder, it is read. When you press the Save button in the “Capture Filters” dialog box, all the current capture filters are written to the personal capture filters file. -- colorfilters:: + -- This file contains all the color filters that you have defined and saved. It consists of one or more lines, where each line has the following format: ---- @@@[][] ---- At program start, if there is a _colorfilters_ file in the personal configuration folder, it is read. If there isn’t a _colorfilters_ file in the personal configuration folder, then, if there is a _colorfilters_ file in the global configuration folder, it is read. When you press the Save button in the “Coloring Rules” dialog box, all the current color filters are written to the personal color filters file. -- dfilter_buttons:: + -- This file contains all the display filter buttons that you have defined and saved. It consists of one or more lines, where each line has the following format: ---- "TRUE/FALSE","