2006-05-30 19:45:12 +00:00
|
|
|
<!-- WSUG Appendix Files -->
|
2004-08-06 21:06:27 +00:00
|
|
|
<!-- $Id$ -->
|
|
|
|
|
|
|
|
<appendix id="AppFiles">
|
2006-06-21 18:31:34 +00:00
|
|
|
<title>Files and Folders</title>
|
|
|
|
|
|
|
|
<section id="ChAppFilesCaptureFilesSection"><title>Capture Files</title>
|
|
|
|
<para>
|
|
|
|
To understand which information will remain available after
|
|
|
|
the captured packets are saved to a capture file,
|
|
|
|
it's helpful to know a bit about the capture file contents.
|
|
|
|
</para>
|
|
|
|
<para>
|
|
|
|
Wireshark uses the libpcap file format as the default format to save
|
|
|
|
captured packets, this format exists for a long time and it's pretty simple.
|
|
|
|
However, it has some drawbacks: it's not extensible and lacks some
|
|
|
|
information that would be really helpful (e.g. being able to add a comment
|
|
|
|
to a packet "the problems start here" would be really nice).
|
|
|
|
</para>
|
|
|
|
<para>
|
|
|
|
In addition to the libpcap format, Wireshark supports several different
|
|
|
|
capture file formats. However, the problems described above also applies
|
|
|
|
for these formats too.
|
|
|
|
</para>
|
|
|
|
<para>
|
|
|
|
A new capture file format "PCAP Next Generation Dump File Format"
|
|
|
|
is currently under development, which will fix these drawbacks.
|
|
|
|
However, it still might take a while until the new file format is ready
|
|
|
|
and Wireshark can use it.
|
|
|
|
</para>
|
|
|
|
<section id="ChIOFileContentSection"><title>Libpcap File Contents</title>
|
|
|
|
<para>
|
|
|
|
At the start of each libpcap capture file some basic information is stored
|
|
|
|
like a magic number to identify the libpcap file format.
|
|
|
|
The most interesting information of this file start is the link layer type
|
|
|
|
(Ethernet, Token Ring, ...).
|
|
|
|
</para>
|
|
|
|
<para>
|
|
|
|
The following data is saved for each packet:
|
|
|
|
<itemizedlist>
|
|
|
|
<listitem>
|
|
|
|
<para>
|
|
|
|
the timestamp with millisecond resolution
|
|
|
|
</para>
|
|
|
|
</listitem>
|
|
|
|
<listitem>
|
|
|
|
<para>
|
|
|
|
the packet length as it was "on the wire"
|
|
|
|
</para>
|
|
|
|
</listitem>
|
|
|
|
<listitem>
|
|
|
|
<para>
|
|
|
|
the packet length as it's saved in the file
|
|
|
|
</para>
|
|
|
|
</listitem>
|
|
|
|
<listitem>
|
|
|
|
<para>
|
|
|
|
the packet's raw bytes
|
|
|
|
</para>
|
|
|
|
</listitem>
|
|
|
|
</itemizedlist>
|
|
|
|
A detailed description of the libpcap file format can be found at:
|
|
|
|
<ulink url="http://wiki.wireshark.org/Development/LibpcapFileFormat"/>
|
|
|
|
</para>
|
|
|
|
</section>
|
|
|
|
<section id="ChIOFileNotContentSection"><title>Not Saved in the Capture File</title>
|
|
|
|
<para>
|
|
|
|
Probably even more interesting for the everyday Wireshark usage is to know
|
|
|
|
the things that are <command>not saved</command> in the capture file:
|
|
|
|
<itemizedlist>
|
|
|
|
<listitem>
|
|
|
|
<para>
|
|
|
|
current selections (selected packet, ...)
|
|
|
|
</para>
|
|
|
|
</listitem>
|
|
|
|
<listitem>
|
|
|
|
<para>
|
|
|
|
name resolution information, see <xref
|
|
|
|
linkend="ChAdvNameResolutionSection"/> for details
|
|
|
|
<warning><title>Warning!</title>
|
|
|
|
<para>
|
|
|
|
The name resolution information is rebuild each time Wireshark is
|
|
|
|
restarted so this information even might change when the capture file
|
|
|
|
is reopened on the same machine later!
|
|
|
|
</para>
|
|
|
|
</warning>
|
|
|
|
</para>
|
|
|
|
</listitem>
|
|
|
|
<listitem>
|
|
|
|
<para>
|
|
|
|
the number of packets dropped while capturing
|
|
|
|
</para>
|
|
|
|
</listitem>
|
|
|
|
<listitem>
|
|
|
|
<para>
|
|
|
|
packet marks set with "Edit/Mark Packet"
|
|
|
|
</para>
|
|
|
|
</listitem>
|
|
|
|
<listitem>
|
|
|
|
<para>
|
|
|
|
time references set with "Edit/Time Reference"
|
|
|
|
</para>
|
|
|
|
</listitem>
|
|
|
|
<listitem>
|
|
|
|
<para>
|
|
|
|
the current display filter
|
|
|
|
</para>
|
|
|
|
</listitem>
|
|
|
|
<listitem>
|
|
|
|
<para>
|
|
|
|
...
|
|
|
|
</para>
|
|
|
|
</listitem>
|
|
|
|
</itemizedlist>
|
|
|
|
</para>
|
|
|
|
</section>
|
|
|
|
</section>
|
|
|
|
|
|
|
|
<section id="ChAppFilesConfigurationSection"><title>Configuration Files and Folders</title>
|
2004-08-06 21:06:27 +00:00
|
|
|
<para>
|
2006-05-30 20:49:45 +00:00
|
|
|
Wireshark uses a number of files and folders while it is running. Some
|
2004-10-21 20:22:21 +00:00
|
|
|
of these reside in the personal configuration folder and are used to
|
2006-05-30 20:49:45 +00:00
|
|
|
maintain information between runs of Wireshark, while some of them are
|
2004-10-21 20:22:21 +00:00
|
|
|
maintained in system areas.
|
2004-08-06 21:06:27 +00:00
|
|
|
</para>
|
|
|
|
<tip><title>Tip</title>
|
2006-05-30 20:49:45 +00:00
|
|
|
<para>A list of the folders Wireshark actually uses can be found under the
|
2004-10-21 20:22:21 +00:00
|
|
|
<command>Folders</command> tab in the dialog box coming up, when you select
|
2006-05-30 20:49:45 +00:00
|
|
|
<command>About Wireshark</command> from the <command>Help</command> menu.
|
2004-08-06 21:06:27 +00:00
|
|
|
</para>
|
|
|
|
</tip>
|
|
|
|
<para>
|
|
|
|
The content format of the configuration files is the same on all platforms.
|
|
|
|
However, to match the different policies for unix and windows platforms,
|
|
|
|
different folders for these files are used.
|
|
|
|
</para>
|
2004-10-21 20:22:21 +00:00
|
|
|
<table id="AppFilesTabFolders" frame="none">
|
|
|
|
<title>Configuration files and folders overview</title>
|
2004-08-06 21:06:27 +00:00
|
|
|
<tgroup cols="4">
|
|
|
|
<colspec colnum="1" colwidth="72pt"/>
|
|
|
|
<colspec colnum="2" colwidth="80pt"/>
|
|
|
|
<colspec colnum="3" colwidth="80pt"/>
|
|
|
|
<thead>
|
|
|
|
<row>
|
2004-10-21 20:22:21 +00:00
|
|
|
<entry>File/Folder</entry>
|
2004-08-06 21:06:27 +00:00
|
|
|
<entry>Description</entry>
|
2005-02-01 23:49:02 +00:00
|
|
|
<entry>Unix/Linux folders</entry>
|
2004-08-06 21:06:27 +00:00
|
|
|
<entry>Windows folders</entry>
|
|
|
|
</row>
|
|
|
|
</thead>
|
|
|
|
<tbody>
|
|
|
|
<row>
|
|
|
|
<entry><command>preferences</command></entry>
|
|
|
|
<entry>Settings from the Preferences dialog box.</entry>
|
2006-06-02 03:10:55 +00:00
|
|
|
<entry>/etc/wireshark.conf, $HOME/.wireshark/preferences</entry>
|
|
|
|
<entry>%WIRESHARK%\wireshark.conf, %APPDATA%\Wireshark\preferences</entry>
|
2004-08-06 21:06:27 +00:00
|
|
|
</row>
|
|
|
|
<row>
|
|
|
|
<entry><command>recent</command></entry>
|
|
|
|
<entry>Recent GUI settings (e.g. recent files lists).</entry>
|
2006-06-02 03:10:55 +00:00
|
|
|
<entry>$HOME/.wireshark/recent</entry>
|
2006-05-30 20:49:45 +00:00
|
|
|
<entry>%APPDATA%\Wireshark\recent</entry>
|
2004-08-06 21:06:27 +00:00
|
|
|
</row>
|
|
|
|
<row>
|
|
|
|
<entry><command>cfilters</command></entry>
|
|
|
|
<entry>Capture filters.</entry>
|
2006-06-02 03:10:55 +00:00
|
|
|
<entry>$HOME/.wireshark/cfilters</entry>
|
2006-05-31 19:12:15 +00:00
|
|
|
<entry>%WIRESHARK%\cfilters, %APPDATA%\Wireshark\cfilters</entry>
|
2004-08-06 21:06:27 +00:00
|
|
|
</row>
|
|
|
|
<row>
|
|
|
|
<entry><command>dfilters</command></entry>
|
|
|
|
<entry>Display filters.</entry>
|
2006-06-02 03:10:55 +00:00
|
|
|
<entry>$HOME/.wireshark/dfilters</entry>
|
2006-05-31 19:12:15 +00:00
|
|
|
<entry>%WIRESHARK%\dfilters, %APPDATA%\Wireshark\dfilters</entry>
|
2004-08-06 21:06:27 +00:00
|
|
|
</row>
|
|
|
|
<row>
|
|
|
|
<entry><command>colorfilters</command></entry>
|
|
|
|
<entry>Coloring rules.</entry>
|
2006-06-02 03:10:55 +00:00
|
|
|
<entry>$HOME/.wireshark/colorfilters</entry>
|
2006-05-31 19:12:15 +00:00
|
|
|
<entry>%WIRESHARK%\colorfilters, %APPDATA%\Wireshark\colorfilters</entry>
|
2004-08-06 21:06:27 +00:00
|
|
|
</row>
|
|
|
|
<row>
|
|
|
|
<entry><command>disabled_protos</command></entry>
|
|
|
|
<entry>Disabled protocols.</entry>
|
2006-06-02 03:10:55 +00:00
|
|
|
<entry>$HOME/.wireshark/disabled_protos</entry>
|
2006-05-31 19:12:15 +00:00
|
|
|
<entry>%WIRESHARK%\disabled_protos, %APPDATA%\Wireshark\disabled_protos</entry>
|
2004-08-06 21:06:27 +00:00
|
|
|
</row>
|
|
|
|
<row>
|
|
|
|
<entry><command>ethers</command></entry>
|
|
|
|
<entry>Ethernet name resolution.</entry>
|
2006-06-02 03:10:55 +00:00
|
|
|
<entry>/etc/ethers, $HOME/.wireshark/ethers</entry>
|
2006-05-31 19:12:15 +00:00
|
|
|
<entry>%WIRESHARK%\ethers, %APPDATA%\Wireshark\ethers</entry>
|
2004-08-06 21:06:27 +00:00
|
|
|
</row>
|
|
|
|
<row>
|
|
|
|
<entry><command>manuf</command></entry>
|
|
|
|
<entry>Ethernet name resolution.</entry>
|
2006-07-04 18:35:23 +00:00
|
|
|
<entry>/etc/manuf, $HOME/.wireshark/manuf</entry>
|
|
|
|
<entry>%WIRESHARK%\manuf, %APPDATA%\Wireshark\manuf</entry>
|
2004-08-06 21:06:27 +00:00
|
|
|
</row>
|
2005-01-14 03:22:43 +00:00
|
|
|
<row>
|
|
|
|
<entry><command>hosts</command></entry>
|
|
|
|
<entry>IPv4 and IPv6 name resolution.</entry>
|
2006-07-04 18:35:23 +00:00
|
|
|
<entry>/etc/hosts, $HOME/.wireshark/hosts</entry>
|
|
|
|
<entry>%WIRESHARK%\hosts, %APPDATA%\Wireshark\hosts</entry>
|
2005-01-14 03:22:43 +00:00
|
|
|
</row>
|
2004-08-06 21:06:27 +00:00
|
|
|
<row>
|
|
|
|
<entry><command>ipxnets</command></entry>
|
|
|
|
<entry>IPX name resolution.</entry>
|
2006-07-04 18:35:23 +00:00
|
|
|
<entry>/etc/ipxnets, $HOME/.wireshark/ipxnets</entry>
|
|
|
|
<entry>%WIRESHARK%\ipxnets, %APPDATA%\Wireshark\ipxnets</entry>
|
2004-08-06 21:06:27 +00:00
|
|
|
</row>
|
|
|
|
<row>
|
|
|
|
<entry><command>plugins</command></entry>
|
|
|
|
<entry>Plugin directories.</entry>
|
2006-06-02 03:10:55 +00:00
|
|
|
<entry>/usr/share/wireshark/plugins,
|
|
|
|
/usr/local/share/wireshark/plugins,
|
|
|
|
$HOME/.wireshark/plugins
|
2004-08-06 21:06:27 +00:00
|
|
|
</entry>
|
2006-05-31 19:12:15 +00:00
|
|
|
<entry>%WIRESHARK%\plugins\<version>,
|
2006-05-30 20:49:45 +00:00
|
|
|
%APPDATA%\Wireshark\plugins</entry>
|
2004-08-06 21:06:27 +00:00
|
|
|
</row>
|
2004-10-21 20:22:21 +00:00
|
|
|
<row>
|
|
|
|
<entry><command>temp</command></entry>
|
|
|
|
<entry>Temporary files.</entry>
|
|
|
|
<entry>Environment: TMPDIR</entry>
|
|
|
|
<entry>Environment: TMPDIR or TEMP</entry>
|
|
|
|
</row>
|
2004-08-06 21:06:27 +00:00
|
|
|
</tbody>
|
|
|
|
</tgroup>
|
|
|
|
</table>
|
|
|
|
<note><title>Windows folders</title>
|
|
|
|
<para>
|
|
|
|
%APPDATA% points to the personal configuration folder, typically
|
2004-10-22 08:33:50 +00:00
|
|
|
<filename>C:\Documents and Settings\<username>\Application Data</filename>
|
|
|
|
(for further details, have a look at <xref linkend="ChWindowsProfiles"/>),
|
2006-05-31 19:12:15 +00:00
|
|
|
%WIRESHARK% points to the Wireshark program folder, typically
|
2006-05-30 20:49:45 +00:00
|
|
|
<filename>C:\Program Files\Wireshark</filename>
|
2004-08-06 21:06:27 +00:00
|
|
|
</para>
|
|
|
|
</note>
|
2005-02-01 23:49:02 +00:00
|
|
|
<note><title>Unix/Linux folders</title>
|
|
|
|
<para>
|
2006-05-30 20:49:45 +00:00
|
|
|
The <filename>/etc</filename> folder is the global Wireshark configuration
|
2005-02-01 23:49:02 +00:00
|
|
|
folder. The folder actually used on your system
|
|
|
|
may vary, maybe something like: <filename>/usr/local/etc</filename>.
|
|
|
|
</para>
|
|
|
|
</note>
|
2004-08-06 21:06:27 +00:00
|
|
|
<para>
|
|
|
|
<variablelist>
|
|
|
|
<varlistentry>
|
2006-06-02 03:10:55 +00:00
|
|
|
<term><command>preferences/wireshark.conf</command></term>
|
2004-08-06 21:06:27 +00:00
|
|
|
<listitem>
|
|
|
|
<para>
|
2006-05-30 20:49:45 +00:00
|
|
|
This file contains your Wireshark preferences,
|
2004-08-06 21:06:27 +00:00
|
|
|
including defaults for capturing and displaying packets.
|
|
|
|
It is a simple text file containing statements of the form:
|
|
|
|
<programlisting>
|
|
|
|
variable: value
|
|
|
|
</programlisting>
|
|
|
|
The settings from this file are
|
|
|
|
read in at program start and written to disk when you press the
|
|
|
|
Save button in the "Preferences" dialog box.
|
|
|
|
</para>
|
|
|
|
</listitem>
|
|
|
|
</varlistentry>
|
|
|
|
<varlistentry>
|
|
|
|
<term><command>recent</command></term>
|
|
|
|
<listitem>
|
|
|
|
<para>
|
|
|
|
This file contains various GUI related settings like the main window
|
|
|
|
position and size, the recent files list and such.
|
|
|
|
It is a simple text file containing statements of the form:
|
|
|
|
<programlisting>
|
|
|
|
variable: value
|
|
|
|
</programlisting>
|
|
|
|
It is read at program start and written at program exit.
|
|
|
|
</para>
|
|
|
|
</listitem>
|
|
|
|
</varlistentry>
|
|
|
|
<varlistentry><term><command>cfilters</command></term>
|
|
|
|
<listitem>
|
|
|
|
<para>
|
|
|
|
This file contains all the capture filters that you have defined
|
|
|
|
and saved. It consists of one or more lines, where each
|
|
|
|
line has the following format:
|
|
|
|
<programlisting>
|
|
|
|
"<filter name>" <filter string>
|
|
|
|
</programlisting>
|
|
|
|
The settings from this file are read in at program start and written
|
|
|
|
to disk when you press the Save button in the "Capture Filters" dialog
|
|
|
|
box.
|
|
|
|
</para>
|
|
|
|
</listitem>
|
|
|
|
</varlistentry>
|
|
|
|
<varlistentry><term><command>dfilters</command></term>
|
|
|
|
<listitem>
|
|
|
|
<para>
|
|
|
|
This file contains all the display filters that you have defined
|
|
|
|
and saved. It consists of one or more lines, where each
|
|
|
|
line has the following format:
|
|
|
|
<programlisting>
|
|
|
|
"<filter name>" <filter string>
|
|
|
|
</programlisting>
|
|
|
|
The settings from this file are read in at program start and written
|
|
|
|
to disk when you press the Save button in the "Display Filters" dialog
|
|
|
|
box.
|
|
|
|
</para>
|
|
|
|
</listitem>
|
|
|
|
</varlistentry>
|
|
|
|
<varlistentry>
|
|
|
|
<term><command>colorfilters</command></term>
|
|
|
|
<listitem>
|
|
|
|
<para>
|
|
|
|
This file contains all the color filters that you have
|
|
|
|
defined and saved. It consists of one or more lines,
|
|
|
|
where each line has the following format:
|
|
|
|
<programlisting>
|
|
|
|
@<filter name>@<filter string>
|
|
|
|
@[<bg RGB(16-bit)>][<fg RGB(16-bit)>]
|
|
|
|
</programlisting>
|
|
|
|
</para>
|
|
|
|
<para>
|
|
|
|
The settings from this file are read in at program start and written
|
|
|
|
to disk when you press the Save button in the "Coloring Rules" dialog
|
|
|
|
box.
|
|
|
|
</para>
|
|
|
|
</listitem>
|
|
|
|
</varlistentry>
|
|
|
|
<varlistentry>
|
|
|
|
<term><command>disabled_protos</command></term>
|
|
|
|
<listitem>
|
|
|
|
<para>
|
|
|
|
Each line in this file specifies a disabled protocol name. The
|
|
|
|
following are some examples:
|
|
|
|
<programlisting>
|
|
|
|
tcp
|
|
|
|
udp
|
|
|
|
</programlisting>
|
|
|
|
</para>
|
|
|
|
<para>
|
|
|
|
The settings from this file are read in at program start and written
|
|
|
|
to disk when you press the Save button in the "Enabled Protocols"
|
|
|
|
dialog box.
|
|
|
|
</para>
|
|
|
|
</listitem>
|
|
|
|
</varlistentry>
|
|
|
|
<varlistentry>
|
|
|
|
<term>
|
|
|
|
<command>ethers</command>
|
|
|
|
</term>
|
|
|
|
<listitem>
|
|
|
|
<para>
|
2006-05-22 08:14:01 +00:00
|
|
|
When Wireshark is trying to translate Ethernet hardware
|
2004-08-06 21:06:27 +00:00
|
|
|
addresses to names, it consults the files listed in
|
|
|
|
<xref linkend="AppFilesTabFolders"/>.
|
|
|
|
If an address is not found in /etc/ethers,
|
2006-06-02 03:10:55 +00:00
|
|
|
Wireshark looks in $HOME/.wireshark/ethers
|
2004-08-06 21:06:27 +00:00
|
|
|
</para>
|
|
|
|
<para>
|
|
|
|
Each line in these files consists of one hardware address and
|
|
|
|
name separated by whitespace. The digits of hardware
|
2005-01-18 23:06:10 +00:00
|
|
|
addresses are separated by colons (:), dashes (-) or
|
2004-08-06 21:06:27 +00:00
|
|
|
periods(.). The following are some examples:
|
|
|
|
<programlisting>
|
|
|
|
ff-ff-ff-ff-ff-ff Broadcast
|
|
|
|
c0-00-ff-ff-ff-ff TR_broadcast
|
|
|
|
00.2b.08.93.4b.a1 Freds_machine
|
|
|
|
</programlisting>
|
|
|
|
The settings from this file are read in at program start and never
|
2006-05-22 08:14:01 +00:00
|
|
|
written by Wireshark.
|
2004-08-06 21:06:27 +00:00
|
|
|
</para>
|
|
|
|
</listitem>
|
|
|
|
</varlistentry>
|
|
|
|
<varlistentry>
|
|
|
|
<term><command>manuf</command></term>
|
|
|
|
<listitem>
|
|
|
|
<para>
|
2006-05-30 20:49:45 +00:00
|
|
|
Wireshark uses the files listed in <xref linkend="AppFilesTabFolders"/>
|
2004-08-06 21:06:27 +00:00
|
|
|
to translate the first three bytes of an Ethernet address into a
|
|
|
|
manufacturers name. This file has the same format as the ethers
|
|
|
|
file, except addresses are three bytes long.
|
2005-01-14 03:22:43 +00:00
|
|
|
</para>
|
|
|
|
<para>
|
|
|
|
An example is:
|
|
|
|
<programlisting>
|
|
|
|
00:00:01 Xerox # XEROX CORPORATION
|
|
|
|
</programlisting>
|
|
|
|
</para>
|
|
|
|
<para>
|
|
|
|
The settings from this file are read in at program start and never
|
2006-05-22 08:14:01 +00:00
|
|
|
written by Wireshark.
|
2005-01-14 03:22:43 +00:00
|
|
|
</para>
|
|
|
|
</listitem>
|
|
|
|
</varlistentry>
|
|
|
|
<varlistentry>
|
|
|
|
<term><command>hosts</command></term>
|
|
|
|
<listitem>
|
|
|
|
<para>
|
2006-05-30 20:49:45 +00:00
|
|
|
Wireshark uses the files listed in <xref linkend="AppFilesTabFolders"/>
|
2005-01-14 03:22:43 +00:00
|
|
|
to translate IPv4 and IPv6 addresses into names.
|
|
|
|
</para>
|
|
|
|
<para>
|
|
|
|
This file has the same format as the usual /etc/hosts file in unix systems.
|
|
|
|
</para>
|
|
|
|
<para>
|
|
|
|
An example is:
|
|
|
|
<programlisting>
|
|
|
|
# Comments must be prepended by the # sign!
|
|
|
|
192.168.0.1 homeserver
|
|
|
|
</programlisting>
|
2004-08-06 21:06:27 +00:00
|
|
|
</para>
|
|
|
|
<para>
|
|
|
|
The settings from this file are read in at program start and never
|
2006-05-22 08:14:01 +00:00
|
|
|
written by Wireshark.
|
2004-08-06 21:06:27 +00:00
|
|
|
</para>
|
|
|
|
</listitem>
|
|
|
|
</varlistentry>
|
|
|
|
<varlistentry>
|
|
|
|
<term><command>ipxnets</command></term>
|
|
|
|
<listitem>
|
|
|
|
<para>
|
2006-05-30 20:49:45 +00:00
|
|
|
Wireshark uses the files listed in <xref linkend="AppFilesTabFolders"/>
|
2004-08-06 21:06:27 +00:00
|
|
|
to translate IPX network numbers into names.
|
|
|
|
</para>
|
|
|
|
<para>
|
|
|
|
An example is:
|
|
|
|
<programlisting>
|
|
|
|
C0.A8.2C.00 HR
|
|
|
|
c0-a8-1c-00 CEO
|
|
|
|
00:00:BE:EF IT_Server1
|
|
|
|
110f FileServer3
|
|
|
|
</programlisting>
|
|
|
|
</para>
|
|
|
|
<para>
|
|
|
|
The settings from this file are read in at program start and never
|
2006-05-22 08:14:01 +00:00
|
|
|
written by Wireshark.
|
2004-08-06 21:06:27 +00:00
|
|
|
</para>
|
|
|
|
</listitem>
|
|
|
|
</varlistentry>
|
|
|
|
<varlistentry>
|
2004-10-21 20:22:21 +00:00
|
|
|
<term><command>plugins</command> folder</term>
|
2004-08-06 21:06:27 +00:00
|
|
|
<listitem>
|
|
|
|
<para>
|
2006-05-30 20:49:45 +00:00
|
|
|
Wireshark searches for plugins in the directories listed in
|
2004-08-06 21:06:27 +00:00
|
|
|
<xref linkend="AppFilesTabFolders"/>.
|
|
|
|
They are searched in the order listed.
|
|
|
|
</para>
|
|
|
|
</listitem>
|
|
|
|
</varlistentry>
|
2004-10-21 20:22:21 +00:00
|
|
|
<varlistentry>
|
|
|
|
<term><command>temp</command> folder</term>
|
|
|
|
<listitem>
|
|
|
|
<para>
|
|
|
|
If you start a new capture and don't specify a filename for it,
|
2006-05-30 20:49:45 +00:00
|
|
|
Wireshark uses this directory to place that file in, see
|
2004-10-21 20:22:21 +00:00
|
|
|
<xref linkend="ChCapCaptureFiles"/>.
|
|
|
|
</para>
|
|
|
|
</listitem>
|
|
|
|
</varlistentry>
|
2004-08-06 21:06:27 +00:00
|
|
|
</variablelist>
|
|
|
|
</para>
|
2006-06-21 18:31:34 +00:00
|
|
|
</section>
|
2004-10-21 20:22:21 +00:00
|
|
|
|
2004-10-22 08:33:50 +00:00
|
|
|
<section id="ChWindowsFolder"><title>Windows folders</title>
|
|
|
|
<para>
|
2006-05-22 08:14:01 +00:00
|
|
|
Here you will find some details about the folders used in Wireshark
|
2004-10-22 08:33:50 +00:00
|
|
|
on different Windows versions.
|
|
|
|
</para>
|
|
|
|
<para>
|
|
|
|
As already mentioned, you can find the currently used folders in the
|
2006-05-30 20:49:45 +00:00
|
|
|
<command>About Wireshark</command> dialog.
|
2004-10-22 08:33:50 +00:00
|
|
|
</para>
|
|
|
|
|
|
|
|
<section id="ChWindowsProfiles"><title>Windows profiles</title>
|
|
|
|
<para>
|
|
|
|
Windows uses some special directories to store user configuration files
|
|
|
|
in, named the user profile. This can be confusing, as the default directory location
|
|
|
|
changed from version to version and might also be different for english
|
|
|
|
and internationalized versions of windows.
|
|
|
|
</para>
|
|
|
|
<note><title>Note!</title>
|
|
|
|
<para>
|
|
|
|
If you upgraded to a new windows version, your profile might
|
|
|
|
be kept in the former location, so the defaults mentioned here might not
|
|
|
|
apply.
|
|
|
|
</para>
|
|
|
|
</note>
|
|
|
|
<para>
|
|
|
|
The following will try to guide
|
2006-05-22 08:14:01 +00:00
|
|
|
you to the right place where to look for Wiresharks profile data.
|
2004-10-22 08:33:50 +00:00
|
|
|
</para>
|
|
|
|
<para>
|
|
|
|
<variablelist>
|
|
|
|
<varlistentry>
|
|
|
|
<term><command>95/98/ME</command></term>
|
|
|
|
<listitem>
|
|
|
|
<para>
|
|
|
|
The default in Windows 95/98/ME is: all users work with the same profile,
|
|
|
|
which is located at:
|
2006-05-30 20:49:45 +00:00
|
|
|
<filename>C:\windows\Application Data\Wireshark</filename>
|
2004-10-22 08:33:50 +00:00
|
|
|
</para>
|
|
|
|
</listitem>
|
|
|
|
</varlistentry>
|
|
|
|
<varlistentry>
|
|
|
|
<term><command>98/ME (with enabled user profiles)</command></term>
|
|
|
|
<listitem>
|
|
|
|
<para>
|
|
|
|
In Windows 98 and ME you can enable separate user profiles. In that case,
|
|
|
|
something like:
|
2006-05-30 20:49:45 +00:00
|
|
|
<filename>C:\windows\Profiles\<username>\Application Data\Wireshark</filename>
|
2004-10-22 08:33:50 +00:00
|
|
|
is used.
|
|
|
|
</para>
|
|
|
|
</listitem>
|
|
|
|
</varlistentry>
|
|
|
|
<varlistentry>
|
|
|
|
<term><command>NT 4</command></term>
|
|
|
|
<listitem>
|
|
|
|
<para>
|
2006-05-30 20:49:45 +00:00
|
|
|
<filename>C:\WINNT\Profiles\<username>\Application Data\Wireshark</filename>
|
2004-10-22 08:33:50 +00:00
|
|
|
</para>
|
|
|
|
</listitem>
|
|
|
|
</varlistentry>
|
|
|
|
<varlistentry>
|
|
|
|
<term><command>2000/XP</command></term>
|
|
|
|
<listitem>
|
|
|
|
<para>
|
|
|
|
<filename>C:\Documents and Settings\<username>\Application Data</filename>,
|
|
|
|
"Documents and Settings" and "Application Data" might be internationalized.
|
|
|
|
</para>
|
|
|
|
</listitem>
|
|
|
|
</varlistentry>
|
|
|
|
</variablelist>
|
|
|
|
</para>
|
|
|
|
</section>
|
|
|
|
|
|
|
|
<section id="ChWindowsRoamingProfiles">
|
|
|
|
<title>Windows NT/2000/XP roaming profiles</title>
|
2004-10-21 20:22:21 +00:00
|
|
|
<para>
|
|
|
|
The following will only be applicable if you are using roaming profiles.
|
|
|
|
This might be the case, if you work in a Windows domain environment
|
|
|
|
(used in huge company networks). The configurations of all
|
|
|
|
programs you use won't be saved on the local harddrive of the computer
|
|
|
|
you are currently working on, but on the domain server.
|
|
|
|
</para>
|
|
|
|
<para>
|
2006-05-22 08:14:01 +00:00
|
|
|
As Wireshark is using the correct places to store it's profile data,
|
2004-10-21 20:22:21 +00:00
|
|
|
your settings will travel with you, if you logon to a different computer
|
|
|
|
the next time.
|
|
|
|
</para>
|
|
|
|
<para>
|
|
|
|
There is an exception to this: The "Local Settings" folder in your profile
|
|
|
|
data (typically something like:
|
2004-10-22 08:33:50 +00:00
|
|
|
<filename>C:\Documents and Settings\<username>\Local Settings</filename>)
|
2004-10-21 20:22:21 +00:00
|
|
|
will not be transferred to the domain server. This is the default for
|
|
|
|
temporary capture files.
|
|
|
|
</para>
|
|
|
|
</section>
|
2004-08-06 21:06:27 +00:00
|
|
|
|
2004-10-22 08:33:50 +00:00
|
|
|
<section id="ChWindowsTempFolder">
|
|
|
|
<title>Windows temporary folder</title>
|
|
|
|
<para>
|
2006-05-30 20:49:45 +00:00
|
|
|
Wireshark uses the folder which is set by the TMPDIR or TEMP environment
|
2004-10-22 08:33:50 +00:00
|
|
|
variable. This variable will be set by the windows installer.
|
|
|
|
</para>
|
|
|
|
<para>
|
|
|
|
The default location for temporary files on NT 4 is just
|
|
|
|
<filename>C:\TEMP</filename>, and in 2000 the default location
|
|
|
|
is some directory under your profile directory but it might have
|
|
|
|
"Temporary Files" in the path name.
|
|
|
|
</para>
|
|
|
|
</section>
|
|
|
|
|
|
|
|
</section>
|
|
|
|
|
2004-08-06 21:06:27 +00:00
|
|
|
</appendix>
|
2006-05-30 19:45:12 +00:00
|
|
|
<!-- End of WSUG Appendix Files -->
|