Configuration Profiles

Table of Contents

Quicklinks: Wireshark Configuration Files | Preferences

Finding the folders

You can find the relevant folders that you have on your computer with tshark -G folders.

[email protected]:~$ tshark -G folders
Temp:                	/tmp
Personal configuration:	/home/rj/.config/wireshark
Global configuration:	/usr/share/wireshark
System:              	/etc
Program:             	/usr/bin
Personal Plugins:    	/home/rj/.local/lib/wireshark/plugins/2.6
Global Plugins:      	/usr/lib/x86_64-linux-gnu/wireshark/plugins/2.6
Personal Lua Plugins:	/home/rj/.local/lib/wireshark/plugins
Global Lua Plugins:  	/usr/lib/x86_64-linux-gnu/wireshark/plugins
Extcap path:         	/usr/lib/x86_64-linux-gnu/wireshark/extcap
MaxMind database path:	/usr/share/GeoIP
MaxMind database path:	/var/lib/GeoIP
MaxMind database path:	/usr/share/GeoIP

Profiles are located in the profiles directory of the configuration folder. On this system, personal or global configuration profiles would be located in /home/rj/.config/wireshark/profiles and /usr/share/wireshark/profiles respectively.

Listing Profiles

You can use a bash one liner to show the names of available profiles:

bash$ tshark -G folders  | grep conf | awk -F':\t*' '{print $2"/profiles"}' | xargs ls
/home/rj/.config/wireshark/profiles:
Default  'No Reassembly'

/usr/share/wireshark/profiles:
Bluetooth  Classic

Profile Files

Each of these files consist of lines of data delimited with newlines, like a hosts file. A line is a comment if it starts with #.

Available Files

[This is an incomplete list]

* Wireshark reads this file/writes to this file.

Anything with [name] in it can have alphanumeric characters (\w).

Most of this table is lifted directly from Configuration Profiles.

Example Files

These files are from the Wireshark Repo or my system.

• ethers
• cfilters
• colorfilters
• dfilters
• dfilter_macros
• manuf
• services

My system files

• hosts: Hosts file from an install of Ubuntu 18.04
• preferences: Preferences file from Macos
• recent: Recent GUI settings from Macos
• disabled_protos: Contains some gaming protocols that I’ll never look at
• ethers: List of 3 MAC addresses and names

For Use with VLAN Example

Example In Name Resolutions.

• ipxnets: Based on vlan.cap
• subnets: Based on vlan.cap
• vlans: Based on vlan.cap

Creating a profile

To add a profile, all you need to do is add a folder in a profiles folder for tshark to recognize it.

mkdir -p /home/rj/.config/wireshark/profiles/NewProfile

Once you add files to it like the ones above, if you specify tshark -C NewProfile, those files will override the defaults.

Editing Your Profile

Guidelines

You may see this at the top of config files:

# DO NOT EDIT THIS FILE!  It was created by Wireshark

It might look scary, but editing config files is fine as long as you take precautions.

1. Before you start, copy your current profile folder somewhere safe
2. Follow the format used by the examples
3. If you’re unsure, use the syntax verifier below after saving to make sure files are still readable
4. Do not have Wireshark open while editing config files. Wireshark loads config files on startup, so if it’s already open, it could overwrite your configs.

Finding Default Values

It is possible to figure out what the default value is for any key, regardless of profile. For example, for key ipv6.use_geoip:, we can print the default preferences with tshark and grep for the value:

 tshark -G defaultprefs | grep "ipv6.use_geoip:"
#ipv6.use_geoip: TRUE

Current prefs can be printed with tshark -G currentprefs.

Verifying Correct Syntax After Editing

You can use this script to verify that your preferences files have the correct syntax after editing them. It will also print which config files are “extra” and “missing” per documentation. Note that “missing” a documented config is not a bad thing. For example, you will probably never need or use an IPX name resolution file.

Tshark Profile Configuration Flags

For when you don’t want to edit the defaults, tshark allow you to use a different config file or change values inline.

-C ${profile}

Use a different profile folder. Note that you can have many different folders, each with their own config files. For my available profiles, I can use the Bluetooth profile with tshark -C Bluetooth.

-o ${key:value}

Override a specific setting in preferences. This flag is good for one-time changes to preferences. If you want the change the setting permanently, it is better to edit the preferences file, through Wireshark or manually.

For example, let’s say you’re on an embedded system where you want to avoid computing checksums, which could be potentially expensive. The system default is to have checksum checking disabled, but just this one time, you want to see if the IP header has been corrupted. Given a capture named temp that has IP packets:

# Default is to not check IP checksum
tshark -r temp -V -c 1 | grep checksum
    Header checksum: 0xf9cc [validation disabled]
    [Header checksum status: Unverified]
# With IP checksum checking enabled
tshark -r temp -o ip.check_checksum:true -V -c 1 | grep checksum
    Header checksum: 0xf9cc [correct]
    [Header checksum status: Good]

-o is most used for specifying a series of required cryptographic settings like WEP or ESP. In this guide, -o is used for WPA2 and TLS1.2 decryption.

-H ${hosts}

Specify a hosts file by name. Let’s say that burritos and tacos found their way into our hosts file. I don’t know how, but it was delicious.

127.0.0.1       localhost
192.168.1.246   🌮🌮🌮🌮
8.8.8.8         🌯🌯🌯🌯

And we have a capture with 4 pings and responses to 8.8.8.8. Using -H and -Nn we can see these entries.

Further Reading

• 2014-07-01, Roy Cheok, Wireshark: A Guide to Color My Packets