Wireshark uses a number of files and folders while it is running. Some of these reside in the personal configuration folder and are used to maintain information between runs of Wireshark, while some of them are maintained in system areas. A list of the folders Wireshark actually uses can be found under the Folders tab in the dialog box coming up, when you select About Wireshark from the Help menu. The content format of the configuration files is the same on all platforms. However, to match the different policies for unix and windows platforms, different folders for these files are used. File/Folder Description Unix/Linux folders Windows folders preferences Settings from the Preferences dialog box. /etc/ethereal.conf, $HOME/.ethereal/preferences %WIRESHARK%\ethereal.conf, %APPDATA%\Wireshark\preferences recent Recent GUI settings (e.g. recent files lists). $HOME/.ethereal/recent %APPDATA%\Wireshark\recent cfilters Capture filters. $HOME/.ethereal/cfilters %WIRESHARK%\cfilters, %APPDATA%\Wireshark\cfilters dfilters Display filters. $HOME/.ethereal/dfilters %WIRESHARK%\dfilters, %APPDATA%\Wireshark\dfilters colorfilters Coloring rules. $HOME/.ethereal/colorfilters %WIRESHARK%\colorfilters, %APPDATA%\Wireshark\colorfilters disabled_protos Disabled protocols. $HOME/.ethereal/disabled_protos %WIRESHARK%\disabled_protos, %APPDATA%\Wireshark\disabled_protos ethers Ethernet name resolution. /etc/ethers, $HOME/.ethereal/ethers %WIRESHARK%\ethers, %APPDATA%\Wireshark\ethers manuf Ethernet name resolution. /etc/manuf %WIRESHARK%\manuf hosts IPv4 and IPv6 name resolution. $HOME/.ethereal/hosts %APPDATA%\hosts ipxnets IPX name resolution. $HOME/.ethereal/ipxnets %WIRESHARK%\ipxnets plugins Plugin directories. /usr/share/ethereal/plugins, /usr/local/share/ethereal/plugins, $HOME/.ethereal/plugins %WIRESHARK%\plugins\<version>, %APPDATA%\Wireshark\plugins temp Temporary files. Environment: TMPDIR Environment: TMPDIR or TEMP %APPDATA% points to the personal configuration folder, typically C:\Documents and Settings\<username>\Application Data (for further details, have a look at ), %WIRESHARK% points to the Wireshark program folder, typically C:\Program Files\Wireshark The /etc folder is the global Wireshark configuration folder. The folder actually used on your system may vary, maybe something like: /usr/local/etc. preferences/ethereal.conf This file contains your Wireshark preferences, including defaults for capturing and displaying packets. It is a simple text file containing statements of the form: variable: value The settings from this file are read in at program start and written to disk when you press the Save button in the "Preferences" dialog box. recent This file contains various GUI related settings like the main window position and size, the recent files list and such. It is a simple text file containing statements of the form: variable: value It is read at program start and written at program exit. cfilters This file contains all the capture filters that you have defined and saved. It consists of one or more lines, where each line has the following format: "<filter name>" <filter string> The settings from this file are read in at program start and written to disk when you press the Save button in the "Capture Filters" dialog box. dfilters This file contains all the display filters that you have defined and saved. It consists of one or more lines, where each line has the following format: "<filter name>" <filter string> The settings from this file are read in at program start and written to disk when you press the Save button in the "Display Filters" dialog box. colorfilters This file contains all the color filters that you have defined and saved. It consists of one or more lines, where each line has the following format: @<filter name>@<filter string> @[<bg RGB(16-bit)>][<fg RGB(16-bit)>] The settings from this file are read in at program start and written to disk when you press the Save button in the "Coloring Rules" dialog box. disabled_protos Each line in this file specifies a disabled protocol name. The following are some examples: tcp udp The settings from this file are read in at program start and written to disk when you press the Save button in the "Enabled Protocols" dialog box. ethers When Wireshark is trying to translate Ethernet hardware addresses to names, it consults the files listed in . If an address is not found in /etc/ethers, Wireshark looks in $HOME/.ethereal/ethers Each line in these files consists of one hardware address and name separated by whitespace. The digits of hardware addresses are separated by colons (:), dashes (-) or periods(.). The following are some examples: ff-ff-ff-ff-ff-ff Broadcast c0-00-ff-ff-ff-ff TR_broadcast 00.2b.08.93.4b.a1 Freds_machine The settings from this file are read in at program start and never written by Wireshark. manuf Wireshark uses the files listed in to translate the first three bytes of an Ethernet address into a manufacturers name. This file has the same format as the ethers file, except addresses are three bytes long. An example is: 00:00:01 Xerox # XEROX CORPORATION The settings from this file are read in at program start and never written by Wireshark. hosts Wireshark uses the files listed in to translate IPv4 and IPv6 addresses into names. This file has the same format as the usual /etc/hosts file in unix systems. An example is: # Comments must be prepended by the # sign! 192.168.0.1 homeserver The settings from this file are read in at program start and never written by Wireshark. ipxnets Wireshark uses the files listed in to translate IPX network numbers into names. An example is: C0.A8.2C.00 HR c0-a8-1c-00 CEO 00:00:BE:EF IT_Server1 110f FileServer3 The settings from this file are read in at program start and never written by Wireshark. plugins folder Wireshark searches for plugins in the directories listed in . They are searched in the order listed. temp folder If you start a new capture and don't specify a filename for it, Wireshark uses this directory to place that file in, see .

Here you will find some details about the folders used in Wireshark on different Windows versions. As already mentioned, you can find the currently used folders in the About Wireshark dialog.

Windows uses some special directories to store user configuration files in, named the user profile. This can be confusing, as the default directory location changed from version to version and might also be different for english and internationalized versions of windows. If you upgraded to a new windows version, your profile might be kept in the former location, so the defaults mentioned here might not apply. The following will try to guide you to the right place where to look for Wiresharks profile data. 95/98/ME The default in Windows 95/98/ME is: all users work with the same profile, which is located at: C:\windows\Application Data\Wireshark 98/ME (with enabled user profiles) In Windows 98 and ME you can enable separate user profiles. In that case, something like: C:\windows\Profiles\<username>\Application Data\Wireshark is used. NT 4 C:\WINNT\Profiles\<username>\Application Data\Wireshark 2000/XP C:\Documents and Settings\<username>\Application Data, "Documents and Settings" and "Application Data" might be internationalized.

The following will only be applicable if you are using roaming profiles. This might be the case, if you work in a Windows domain environment (used in huge company networks). The configurations of all programs you use won't be saved on the local harddrive of the computer you are currently working on, but on the domain server. As Wireshark is using the correct places to store it's profile data, your settings will travel with you, if you logon to a different computer the next time. There is an exception to this: The "Local Settings" folder in your profile data (typically something like: C:\Documents and Settings\<username>\Local Settings) will not be transferred to the domain server. This is the default for temporary capture files.

Wireshark uses the folder which is set by the TMPDIR or TEMP environment variable. This variable will be set by the windows installer. The default location for temporary files on NT 4 is just C:\TEMP, and in 2000 the default location is some directory under your profile directory but it might have "Temporary Files" in the path name.