1 <!-- WSUG Appendix Files -->
4 <appendix id="AppFiles">
5 <title>Files and Folders</title>
7 <section id="ChAppFilesCaptureFilesSection"><title>Capture Files</title>
9 To understand which information will remain available after
10 the captured packets are saved to a capture file,
11 it's helpful to know a bit about the capture file contents.
14 Wireshark uses the libpcap file format as the default format to save
15 captured packets; this format has existed for a long time and it's pretty simple.
16 However, it has some drawbacks: it's not extensible and lacks some
17 information that would be really helpful (e.g. being able to add a comment
18 to a packet such as "the problems start here" would be really nice).
21 In addition to the libpcap format, Wireshark supports several different
22 capture file formats. However, the problems described above also applies
26 A new capture file format "PCAP Next Generation Dump File Format"
27 is currently under development, which will fix these drawbacks.
28 However, it still might take a while until the new file format is ready
29 and Wireshark can use it.
31 <section id="ChIOFileContentSection"><title>Libpcap File Contents</title>
33 At the start of each libpcap capture file some basic information is stored
34 like a magic number to identify the libpcap file format.
35 The most interesting information of this file start is the link layer type
36 (Ethernet, Token Ring, ...).
39 The following data is saved for each packet:
43 the timestamp with millisecond resolution
48 the packet length as it was "on the wire"
53 the packet length as it's saved in the file
58 the packet's raw bytes
62 A detailed description of the libpcap file format can be found at:
63 <ulink url="http://wiki.wireshark.org/Development/LibpcapFileFormat"/>
66 <section id="ChIOFileNotContentSection"><title>Not Saved in the Capture File</title>
68 Probably even more interesting for everyday Wireshark usage is to know
69 the things that are <command>not saved</command> in the capture file:
73 current selections (selected packet, ...)
78 name resolution information, see <xref
79 linkend="ChAdvNameResolutionSection"/> for details
80 <warning><title>Warning!</title>
82 The name resolution information is rebuilt each time Wireshark is
83 restarted so this information might even change when the capture file
84 is reopened on the same machine later!
91 the number of packets dropped while capturing
96 packet marks set with "Edit/Mark Packet"
101 time references set with "Edit/Time Reference"
106 the current display filter
119 <section id="ChAppFilesConfigurationSection"><title>Configuration Files and Folders</title>
121 Wireshark uses a number of files and folders while it is running. Some
122 of these reside in the personal configuration folder and are used to
123 maintain information between runs of Wireshark, while some of them are
124 maintained in system areas.
126 <tip><title>Tip</title>
127 <para>A list of the folders Wireshark actually uses can be found under the
128 <command>Folders</command> tab in the dialog box shown when you select
129 <command>About Wireshark</command> from the <command>Help</command> menu.
133 The content format of the configuration files is the same on all platforms.
134 However, to match the different policies for Unix and Windows platforms,
135 different folders are used for these files.
137 <table id="AppFilesTabFolders" frame="none">
138 <title>Configuration files and folders overview</title>
140 <colspec colnum="1" colwidth="72pt"/>
141 <colspec colnum="2" colwidth="80pt"/>
142 <colspec colnum="3" colwidth="80pt"/>
145 <entry>File/Folder</entry>
146 <entry>Description</entry>
147 <entry>Unix/Linux folders</entry>
148 <entry>Windows folders</entry>
153 <entry><command>preferences</command></entry>
154 <entry>Settings from the Preferences dialog box.</entry>
155 <entry>/etc/wireshark.conf, $HOME/.wireshark/preferences</entry>
156 <entry>%WIRESHARK%\wireshark.conf, %APPDATA%\Wireshark\preferences</entry>
159 <entry><command>recent</command></entry>
160 <entry>Recent GUI settings (e.g. recent files lists).</entry>
161 <entry>$HOME/.wireshark/recent</entry>
162 <entry>%APPDATA%\Wireshark\recent</entry>
165 <entry><command>cfilters</command></entry>
166 <entry>Capture filters.</entry>
167 <entry>$HOME/.wireshark/cfilters</entry>
168 <entry>%WIRESHARK%\cfilters, %APPDATA%\Wireshark\cfilters</entry>
171 <entry><command>dfilters</command></entry>
172 <entry>Display filters.</entry>
173 <entry>$HOME/.wireshark/dfilters</entry>
174 <entry>%WIRESHARK%\dfilters, %APPDATA%\Wireshark\dfilters</entry>
177 <entry><command>colorfilters</command></entry>
178 <entry>Coloring rules.</entry>
179 <entry>$HOME/.wireshark/colorfilters</entry>
180 <entry>%WIRESHARK%\colorfilters, %APPDATA%\Wireshark\colorfilters</entry>
183 <entry><command>disabled_protos</command></entry>
184 <entry>Disabled protocols.</entry>
185 <entry>$HOME/.wireshark/disabled_protos</entry>
186 <entry>%WIRESHARK%\disabled_protos, %APPDATA%\Wireshark\disabled_protos</entry>
189 <entry><command>ethers</command></entry>
190 <entry>Ethernet name resolution.</entry>
191 <entry>/etc/ethers, $HOME/.wireshark/ethers</entry>
192 <entry>%WIRESHARK%\ethers, %APPDATA%\Wireshark\ethers</entry>
195 <entry><command>manuf</command></entry>
196 <entry>Ethernet name resolution.</entry>
197 <entry>/etc/manuf, $HOME/.wireshark/manuf</entry>
198 <entry>%WIRESHARK%\manuf, %APPDATA%\Wireshark\manuf</entry>
201 <entry><command>hosts</command></entry>
202 <entry>IPv4 and IPv6 name resolution.</entry>
203 <entry>/etc/hosts, $HOME/.wireshark/hosts</entry>
204 <entry>%WIRESHARK%\hosts, %APPDATA%\Wireshark\hosts</entry>
207 <entry><command>ipxnets</command></entry>
208 <entry>IPX name resolution.</entry>
209 <entry>/etc/ipxnets, $HOME/.wireshark/ipxnets</entry>
210 <entry>%WIRESHARK%\ipxnets, %APPDATA%\Wireshark\ipxnets</entry>
213 <entry><command>plugins</command></entry>
214 <entry>Plugin directories.</entry>
215 <entry>/usr/share/wireshark/plugins,
216 /usr/local/share/wireshark/plugins,
217 $HOME/.wireshark/plugins
219 <entry>%WIRESHARK%\plugins\<version>,
220 %APPDATA%\Wireshark\plugins</entry>
223 <entry><command>temp</command></entry>
224 <entry>Temporary files.</entry>
225 <entry>Environment: TMPDIR</entry>
226 <entry>Environment: TMPDIR or TEMP</entry>
231 <note><title>Windows folders</title>
233 %APPDATA% points to the personal configuration folder, e.g.:
234 <filename>C:\Documents and Settings\<username>\Application Data</filename>
235 (details can be found at: <xref linkend="ChWindowsProfiles"/>),
238 %WIRESHARK% points to the Wireshark program folder, e.g.:
239 <filename>C:\Program Files\Wireshark</filename>
242 <note><title>Unix/Linux folders</title>
244 The <filename>/etc</filename> folder is the global Wireshark configuration
245 folder. The folder actually used on your system
246 may vary, maybe something like: <filename>/usr/local/etc</filename>.
249 $HOME is usually something like: <filename>/home/<username></filename>
255 <term><command>preferences/wireshark.conf</command></term>
258 This file contains your Wireshark preferences,
259 including defaults for capturing and displaying packets.
260 It is a simple text file containing statements of the form:
264 The settings from this file are
265 read in at program start and written to disk when you press the
266 Save button in the "Preferences" dialog box.
271 <term><command>recent</command></term>
274 This file contains various GUI related settings like the main window
275 position and size, the recent files list and such.
276 It is a simple text file containing statements of the form:
280 It is read at program start and written at program exit.
284 <varlistentry><term><command>cfilters</command></term>
287 This file contains all the capture filters that you have defined
288 and saved. It consists of one or more lines, where each
289 line has the following format:
291 "<filter name>" <filter string>
293 The settings from this file are read in at program start and written
294 to disk when you press the Save button in the "Capture Filters" dialog
299 <varlistentry><term><command>dfilters</command></term>
302 This file contains all the display filters that you have defined
303 and saved. It consists of one or more lines, where each
304 line has the following format:
306 "<filter name>" <filter string>
308 The settings from this file are read in at program start and written
309 to disk when you press the Save button in the "Display Filters" dialog
315 <term><command>colorfilters</command></term>
318 This file contains all the color filters that you have
319 defined and saved. It consists of one or more lines,
320 where each line has the following format:
322 @<filter name>@<filter string>
323 @[<bg RGB(16-bit)>][<fg RGB(16-bit)>]
327 The settings from this file are read in at program start and written
328 to disk when you press the Save button in the "Coloring Rules" dialog
334 <term><command>disabled_protos</command></term>
337 Each line in this file specifies a disabled protocol name. The
338 following are some examples:
345 The settings from this file are read in at program start and written
346 to disk when you press the Save button in the "Enabled Protocols"
353 <command>ethers</command>
357 When Wireshark is trying to translate Ethernet hardware
358 addresses to names, it consults the files listed in
359 <xref linkend="AppFilesTabFolders"/>.
360 If an address is not found in /etc/ethers,
361 Wireshark looks in $HOME/.wireshark/ethers
364 Each line in these files consists of one hardware address and
365 name separated by whitespace. The digits of hardware
366 addresses are separated by colons (:), dashes (-) or
367 periods(.). The following are some examples:
369 ff-ff-ff-ff-ff-ff Broadcast
370 c0-00-ff-ff-ff-ff TR_broadcast
371 00.2b.08.93.4b.a1 Freds_machine
373 The settings from this file are read in at program start and never
374 written by Wireshark.
379 <term><command>manuf</command></term>
382 Wireshark uses the files listed in <xref linkend="AppFilesTabFolders"/>
383 to translate the first three bytes of an Ethernet address into a
384 manufacturers name. This file has the same format as the ethers
385 file, except addresses are three bytes long.
390 00:00:01 Xerox # XEROX CORPORATION
394 The settings from this file are read in at program start and never
395 written by Wireshark.
400 <term><command>hosts</command></term>
403 Wireshark uses the files listed in <xref linkend="AppFilesTabFolders"/>
404 to translate IPv4 and IPv6 addresses into names.
407 This file has the same format as the usual /etc/hosts file on Unix systems.
412 # Comments must be prepended by the # sign!
413 192.168.0.1 homeserver
417 The settings from this file are read in at program start and never
418 written by Wireshark.
423 <term><command>ipxnets</command></term>
426 Wireshark uses the files listed in <xref linkend="AppFilesTabFolders"/>
427 to translate IPX network numbers into names.
434 00:00:BE:EF IT_Server1
439 The settings from this file are read in at program start and never
440 written by Wireshark.
445 <term><command>plugins</command> folder</term>
448 Wireshark searches for plugins in the directories listed in
449 <xref linkend="AppFilesTabFolders"/>.
450 They are searched in the order listed.
455 <term><command>temp</command> folder</term>
458 If you start a new capture and don't specify a filename for it,
459 Wireshark uses this directory to store that file; see
460 <xref linkend="ChCapCaptureFiles"/>.
468 <section id="ChWindowsFolder"><title>Windows folders</title>
470 Here you will find some details about the folders used in Wireshark
471 on different Windows versions.
474 As already mentioned, you can find the currently used folders in the
475 <command>About Wireshark</command> dialog.
478 <section id="ChWindowsProfiles"><title>Windows profiles</title>
480 Windows uses some special directories to store user configuration files
481 which define the "user profile". This can be confusing, as the default directory location
482 changed from Windows version to version and might also be different for English
483 and internationalized versions of Windows.
485 <note><title>Note!</title>
487 If you've upgraded to a new Windows version, your profile might
488 be kept in the former location, so the defaults mentioned here might not
494 you to the right place where to look for Wireshark's profile data.
499 <term><command>Vista</command></term>
502 <filename>C:\Users\<username>\AppData\Roaming\Wireshark</filename>
507 <term><command>XP/2000</command></term>
510 <filename>C:\Documents and Settings\<username>\Application Data</filename>,
511 "Documents and Settings" and "Application Data" might be internationalized.
516 <term><command>NT 4 (no longer supported by Wireshark)</command></term>
519 <filename>C:\WINNT\Profiles\<username>\Application Data\Wireshark</filename>
524 <term><command>ME/98 - with enabled user profiles (no longer supported by Wireshark)</command></term>
527 In Windows ME and 98 you can enable separate user profiles. In that case,
529 <filename>C:\windows\Profiles\<username>\Application Data\Wireshark</filename>
535 <term><command>ME/98/95 (no longer supported by Wireshark)</command></term>
538 The default in Windows ME/98/95 is: all users work with the same profile,
540 <filename>C:\windows\Application Data\Wireshark</filename>
548 <section id="ChWindowsRoamingProfiles">
549 <title>Windows Vista/XP/2000/NT roaming profiles</title>
551 The following will only be applicable if you are using roaming profiles.
552 This might be the case, if you work in a Windows domain environment
553 (used in company networks). The configurations of all
554 programs you use won't be saved on the local hard drive of the computer
555 you are currently working on, but on the domain server.
558 As Wireshark is using the correct places to store its profile data,
559 your settings will travel with you, if you logon to a different computer
563 There is an exception to this: The "Local Settings" folder in your profile
564 data (typically something like:
565 <filename>C:\Documents and Settings\<username>\Local Settings</filename>)
566 will not be transferred to the domain server. This is the default for
567 temporary capture files.
571 <section id="ChWindowsTempFolder">
572 <title>Windows temporary folder</title>
574 Wireshark uses the folder which is set by the TMPDIR or TEMP environment
575 variable. This variable will be set by the Windows installer.
580 <term><command>Vista</command></term>
583 <filename>XXX - could someone give information about this?</filename>
588 <term><command>XP/2000</command></term>
591 <filename>C:\Documents and Settings\<username>\Local Settings\Temp</filename>
596 <term><command>NT 4</command></term>
599 <filename>C:\TEMP</filename>
610 <!-- End of WSUG Appendix Files -->