osmith
/
wireshark
forked from osmocom/wireshark
1
0
Fork 0
Code Pull Requests Releases Wiki Activity
wireshark/docbook/wsug_src/WSUG_app_files.xml

611 lines
19 KiB
XML
Raw Blame History

<!-- WSUG Appendix Files -->
<!-- $Id$ -->
<appendix id="AppFiles">
<title>Files and Folders</title>
<section id="ChAppFilesCaptureFilesSection"><title>Capture Files</title>
<para>
To understand which information will remain available after
the captured packets are saved to a capture file,
it's helpful to know a bit about the capture file contents.
</para>
<para>
Wireshark uses the libpcap file format as the default format to save
captured packets, this format exists for a long time and it's pretty simple.
However, it has some drawbacks: it's not extensible and lacks some
information that would be really helpful (e.g. being able to add a comment
to a packet "the problems start here" would be really nice).
</para>
<para>
In addition to the libpcap format, Wireshark supports several different
capture file formats. However, the problems described above also applies
for these formats too.
</para>
<para>
A new capture file format "PCAP Next Generation Dump File Format"
is currently under development, which will fix these drawbacks.
However, it still might take a while until the new file format is ready
and Wireshark can use it.
</para>
<section id="ChIOFileContentSection"><title>Libpcap File Contents</title>
<para>
At the start of each libpcap capture file some basic information is stored
like a magic number to identify the libpcap file format.
The most interesting information of this file start is the link layer type
(Ethernet, Token Ring, ...).
</para>
<para>
The following data is saved for each packet:
<itemizedlist>
<listitem>
<para>
the timestamp with millisecond resolution
</para>
</listitem>
<listitem>
<para>
the packet length as it was "on the wire"
</para>
</listitem>
<listitem>
<para>
the packet length as it's saved in the file
</para>
</listitem>
<listitem>
<para>
the packet's raw bytes
</para>
</listitem>
</itemizedlist>
A detailed description of the libpcap file format can be found at:
<ulink url="http://wiki.wireshark.org/Development/LibpcapFileFormat"/>
</para>
</section>
<section id="ChIOFileNotContentSection"><title>Not Saved in the Capture File</title>
<para>
Probably even more interesting for the everyday Wireshark usage is to know
the things that are <command>not saved</command> in the capture file:
<itemizedlist>
<listitem>
<para>
current selections (selected packet, ...)
</para>
</listitem>
<listitem>
<para>
name resolution information, see <xref
linkend="ChAdvNameResolutionSection"/> for details
<warning><title>Warning!</title>
<para>
The name resolution information is rebuild each time Wireshark is
restarted so this information even might change when the capture file
is reopened on the same machine later!
</para>
</warning>
</para>
</listitem>
<listitem>
<para>
the number of packets dropped while capturing
</para>
</listitem>
<listitem>
<para>
packet marks set with "Edit/Mark Packet"
</para>
</listitem>
<listitem>
<para>
time references set with "Edit/Time Reference"
</para>
</listitem>
<listitem>
<para>
the current display filter
</para>
</listitem>
<listitem>
<para>
...
</para>
</listitem>
</itemizedlist>
</para>
</section>
</section>
<section id="ChAppFilesConfigurationSection"><title>Configuration Files and Folders</title>
<para>
Wireshark uses a number of files and folders while it is running. Some
of these reside in the personal configuration folder and are used to
maintain information between runs of Wireshark, while some of them are
maintained in system areas.
</para>
<tip><title>Tip</title>
<para>A list of the folders Wireshark actually uses can be found under the
<command>Folders</command> tab in the dialog box coming up, when you select
<command>About Wireshark</command> from the <command>Help</command> menu.
</para>
</tip>
<para>
The content format of the configuration files is the same on all platforms.
However, to match the different policies for Unix and windows platforms,
different folders for these files are used.
</para>
<table id="AppFilesTabFolders" frame="none">
<title>Configuration files and folders overview</title>
<tgroup cols="4">
<colspec colnum="1" colwidth="72pt"/>
<colspec colnum="2" colwidth="80pt"/>
<colspec colnum="3" colwidth="80pt"/>
<thead>
<row>
<entry>File/Folder</entry>
<entry>Description</entry>
<entry>Unix/Linux folders</entry>
<entry>Windows folders</entry>
</row>
</thead>
<tbody>
<row>
<entry><command>preferences</command></entry>
<entry>Settings from the Preferences dialog box.</entry>
<entry>/etc/wireshark.conf, $HOME/.wireshark/preferences</entry>
<entry>%WIRESHARK%\wireshark.conf, %APPDATA%\Wireshark\preferences</entry>
</row>
<row>
<entry><command>recent</command></entry>
<entry>Recent GUI settings (e.g. recent files lists).</entry>
<entry>$HOME/.wireshark/recent</entry>
<entry>%APPDATA%\Wireshark\recent</entry>
</row>
<row>
<entry><command>cfilters</command></entry>
<entry>Capture filters.</entry>
<entry>$HOME/.wireshark/cfilters</entry>
<entry>%WIRESHARK%\cfilters, %APPDATA%\Wireshark\cfilters</entry>
</row>
<row>
<entry><command>dfilters</command></entry>
<entry>Display filters.</entry>
<entry>$HOME/.wireshark/dfilters</entry>
<entry>%WIRESHARK%\dfilters, %APPDATA%\Wireshark\dfilters</entry>
</row>
<row>
<entry><command>colorfilters</command></entry>
<entry>Coloring rules.</entry>
<entry>$HOME/.wireshark/colorfilters</entry>
<entry>%WIRESHARK%\colorfilters, %APPDATA%\Wireshark\colorfilters</entry>
</row>
<row>
<entry><command>disabled_protos</command></entry>
<entry>Disabled protocols.</entry>
<entry>$HOME/.wireshark/disabled_protos</entry>
<entry>%WIRESHARK%\disabled_protos, %APPDATA%\Wireshark\disabled_protos</entry>
</row>
<row>
<entry><command>ethers</command></entry>
<entry>Ethernet name resolution.</entry>
<entry>/etc/ethers, $HOME/.wireshark/ethers</entry>
<entry>%WIRESHARK%\ethers, %APPDATA%\Wireshark\ethers</entry>
</row>
<row>
<entry><command>manuf</command></entry>
<entry>Ethernet name resolution.</entry>
<entry>/etc/manuf, $HOME/.wireshark/manuf</entry>
<entry>%WIRESHARK%\manuf, %APPDATA%\Wireshark\manuf</entry>
</row>
<row>
<entry><command>hosts</command></entry>
<entry>IPv4 and IPv6 name resolution.</entry>
<entry>/etc/hosts, $HOME/.wireshark/hosts</entry>
<entry>%WIRESHARK%\hosts, %APPDATA%\Wireshark\hosts</entry>
</row>
<row>
<entry><command>ipxnets</command></entry>
<entry>IPX name resolution.</entry>
<entry>/etc/ipxnets, $HOME/.wireshark/ipxnets</entry>
<entry>%WIRESHARK%\ipxnets, %APPDATA%\Wireshark\ipxnets</entry>
</row>
<row>
<entry><command>plugins</command></entry>
<entry>Plugin directories.</entry>
<entry>/usr/share/wireshark/plugins,
/usr/local/share/wireshark/plugins,
$HOME/.wireshark/plugins
</entry>
<entry>%WIRESHARK%\plugins\&lt;version&gt;,
%APPDATA%\Wireshark\plugins</entry>
</row>
<row>
<entry><command>temp</command></entry>
<entry>Temporary files.</entry>
<entry>Environment: TMPDIR</entry>
<entry>Environment: TMPDIR or TEMP</entry>
</row>
</tbody>
</tgroup>
</table>
<note><title>Windows folders</title>
<para>
%APPDATA% points to the personal configuration folder, e.g.:
<filename>C:\Documents and Settings\&lt;username&gt;\Application Data</filename>
(details can be found at: <xref linkend="ChWindowsProfiles"/>),
</para>
<para>
%WIRESHARK% points to the Wireshark program folder, e.g.:
<filename>C:\Program Files\Wireshark</filename>
</para>
</note>
<note><title>Unix/Linux folders</title>
<para>
The <filename>/etc</filename> folder is the global Wireshark configuration
folder. The folder actually used on your system
may vary, maybe something like: <filename>/usr/local/etc</filename>.
</para>
<para>
$HOME is usually something like: <filename>/home/&lt;username&gt;</filename>
</para>
</note>
<para>
<variablelist>
<varlistentry>
<term><command>preferences/wireshark.conf</command></term>
<listitem>
<para>
This file contains your Wireshark preferences,
including defaults for capturing and displaying packets.
It is a simple text file containing statements of the form:
<programlisting>
variable: value
</programlisting>
The settings from this file are
read in at program start and written to disk when you press the
Save button in the "Preferences" dialog box.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term><command>recent</command></term>
<listitem>
<para>
This file contains various GUI related settings like the main window
position and size, the recent files list and such.
It is a simple text file containing statements of the form:
<programlisting>
variable: value
</programlisting>
It is read at program start and written at program exit.
</para>
</listitem>
</varlistentry>
<varlistentry><term><command>cfilters</command></term>
<listitem>
<para>
This file contains all the capture filters that you have defined
and saved. It consists of one or more lines, where each
line has the following format:
<programlisting>
"&lt;filter name>" &lt;filter string>
</programlisting>
The settings from this file are read in at program start and written
to disk when you press the Save button in the "Capture Filters" dialog
box.
</para>
</listitem>
</varlistentry>
<varlistentry><term><command>dfilters</command></term>
<listitem>
<para>
This file contains all the display filters that you have defined
and saved. It consists of one or more lines, where each
line has the following format:
<programlisting>
"&lt;filter name>" &lt;filter string>
</programlisting>
The settings from this file are read in at program start and written
to disk when you press the Save button in the "Display Filters" dialog
box.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term><command>colorfilters</command></term>
<listitem>
<para>
This file contains all the color filters that you have
defined and saved. It consists of one or more lines,
where each line has the following format:
<programlisting>
@&lt;filter name>@&lt;filter string>
@[&lt;bg RGB(16-bit)>][&lt;fg RGB(16-bit)>]
</programlisting>
</para>
<para>
The settings from this file are read in at program start and written
to disk when you press the Save button in the "Coloring Rules" dialog
box.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term><command>disabled_protos</command></term>
<listitem>
<para>
Each line in this file specifies a disabled protocol name. The
following are some examples:
<programlisting>
tcp
udp
</programlisting>
</para>
<para>
The settings from this file are read in at program start and written
to disk when you press the Save button in the "Enabled Protocols"
dialog box.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>
<command>ethers</command>
</term>
<listitem>
<para>
When Wireshark is trying to translate Ethernet hardware
addresses to names, it consults the files listed in
<xref linkend="AppFilesTabFolders"/>.
If an address is not found in /etc/ethers,
Wireshark looks in $HOME/.wireshark/ethers
</para>
<para>
Each line in these files consists of one hardware address and
name separated by whitespace. The digits of hardware
addresses are separated by colons (:), dashes (-) or
periods(.). The following are some examples:
<programlisting>
ff-ff-ff-ff-ff-ff Broadcast
c0-00-ff-ff-ff-ff TR_broadcast
00.2b.08.93.4b.a1 Freds_machine
</programlisting>
The settings from this file are read in at program start and never
written by Wireshark.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term><command>manuf</command></term>
<listitem>
<para>
Wireshark uses the files listed in <xref linkend="AppFilesTabFolders"/>
to translate the first three bytes of an Ethernet address into a
manufacturers name. This file has the same format as the ethers
file, except addresses are three bytes long.
</para>
<para>
An example is:
<programlisting>
00:00:01 Xerox # XEROX CORPORATION
</programlisting>
</para>
<para>
The settings from this file are read in at program start and never
written by Wireshark.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term><command>hosts</command></term>
<listitem>
<para>
Wireshark uses the files listed in <xref linkend="AppFilesTabFolders"/>
to translate IPv4 and IPv6 addresses into names.
</para>
<para>
This file has the same format as the usual /etc/hosts file in Unix systems.
</para>
<para>
An example is:
<programlisting>
# Comments must be prepended by the # sign!
192.168.0.1 homeserver
</programlisting>
</para>
<para>
The settings from this file are read in at program start and never
written by Wireshark.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term><command>ipxnets</command></term>
<listitem>
<para>
Wireshark uses the files listed in <xref linkend="AppFilesTabFolders"/>
to translate IPX network numbers into names.
</para>
<para>
An example is:
<programlisting>
C0.A8.2C.00 HR
c0-a8-1c-00 CEO
00:00:BE:EF IT_Server1
110f FileServer3
</programlisting>
</para>
<para>
The settings from this file are read in at program start and never
written by Wireshark.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term><command>plugins</command> folder</term>
<listitem>
<para>
Wireshark searches for plugins in the directories listed in
<xref linkend="AppFilesTabFolders"/>.
They are searched in the order listed.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term><command>temp</command> folder</term>
<listitem>
<para>
If you start a new capture and don't specify a filename for it,
Wireshark uses this directory to place that file in, see
<xref linkend="ChCapCaptureFiles"/>.
</para>
</listitem>
</varlistentry>
</variablelist>
</para>
</section>
<section id="ChWindowsFolder"><title>Windows folders</title>
<para>
Here you will find some details about the folders used in Wireshark
on different Windows versions.
</para>
<para>
As already mentioned, you can find the currently used folders in the
<command>About Wireshark</command> dialog.
</para>
<section id="ChWindowsProfiles"><title>Windows profiles</title>
<para>
Windows uses some special directories to store user configuration files
in, named the user profile. This can be confusing, as the default directory location
changed from version to version and might also be different for English
and internationalized versions of windows.
</para>
<note><title>Note!</title>
<para>
If you upgraded to a new windows version, your profile might
be kept in the former location, so the defaults mentioned here might not
apply.
</para>
</note>
<para>
The following guides
you to the right place where to look for Wireshark's profile data.
</para>
<para>
<variablelist>
<varlistentry>
<term><command>Vista</command></term>
<listitem>
<para>
<filename>C:\Users\&lt;username&gt;\AppData\Roaming\Wireshark</filename>
</para>
</listitem>
</varlistentry>
<varlistentry>
<term><command>XP/2000</command></term>
<listitem>
<para>
<filename>C:\Documents and Settings\&lt;username&gt;\Application Data</filename>,
"Documents and Settings" and "Application Data" might be internationalized.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term><command>NT 4 (no longer supported by Wireshark)</command></term>
<listitem>
<para>
<filename>C:\WINNT\Profiles\&lt;username&gt;\Application Data\Wireshark</filename>
</para>
</listitem>
</varlistentry>
<varlistentry>
<term><command>ME/98 - with enabled user profiles (no longer supported by Wireshark)</command></term>
<listitem>
<para>
In Windows ME and 98 you can enable separate user profiles. In that case,
something like:
<filename>C:\windows\Profiles\&lt;username&gt;\Application Data\Wireshark</filename>
is used.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term><command>ME/98/95 (no longer supported by Wireshark)</command></term>
<listitem>
<para>
The default in Windows ME/98/95 is: all users work with the same profile,
which is located at:
<filename>C:\windows\Application Data\Wireshark</filename>
</para>
</listitem>
</varlistentry>
</variablelist>
</para>
</section>
<section id="ChWindowsRoamingProfiles">
<title>Windows Vista/XP/2000/NT roaming profiles</title>
<para>
The following will only be applicable if you are using roaming profiles.
This might be the case, if you work in a Windows domain environment
(used in company networks). The configurations of all
programs you use won't be saved on the local hard drive of the computer
you are currently working on, but on the domain server.
</para>
<para>
As Wireshark is using the correct places to store it's profile data,
your settings will travel with you, if you logon to a different computer
the next time.
</para>
<para>
There is an exception to this: The "Local Settings" folder in your profile
data (typically something like:
<filename>C:\Documents and Settings\&lt;username&gt;\Local Settings</filename>)
will not be transferred to the domain server. This is the default for
temporary capture files.
</para>
</section>
<section id="ChWindowsTempFolder">
<title>Windows temporary folder</title>
<para>
Wireshark uses the folder which is set by the TMPDIR or TEMP environment
variable. This variable will be set by the windows installer.
</para>
<para>
<variablelist>
<varlistentry>
<term><command>Vista</command></term>
<listitem>
<para>
<filename>XXX - could someone give information about this?</filename>
</para>
</listitem>
</varlistentry>
<varlistentry>
<term><command>XP/2000</command></term>
<listitem>
<para>
<filename>C:\Documents and Settings\&lt;username&gt;\Local Settings\Temp</filename>
</para>
</listitem>
</varlistentry>
<varlistentry>
<term><command>NT 4</command></term>
<listitem>
<para>
<filename>C:\TEMP</filename>
</para>
</listitem>
</varlistentry>
</variablelist>
</para>
</section>
</section>
</appendix>
<!-- End of WSUG Appendix Files -->
View Git Blame Copy Permalink