Lab 23 is not displaying as expected in the bookmark filters menu. Could it be because there is a difference with the new version of Wireshark?

asked 2020-09-29 01:03:49 +0000

mark.witbeck gravatar image

The dfilters_sample.txt when added to my personal dfilters in Wireshark the Lab shows that it should look like a multi-line output. I do not get that. I get a single line with the entire filter as one filter with no separation. Even the filter bar is red. I am not sure if this is because of the newer version of Wireshark compared to when the file was created. If something changed. I have tried a few things but I am not sure what I am missing. This is not hard to copy and paste. I am using the Wireshark Version 3.2.7 (v3.2.7-0-gfb6522d84a3a).

Thanks

edit retag flag offensive close merge delete

Comments

What operating system are you working on and what program is being used to edit dfilters?

Chuckc gravatar imageChuckc ( 2020-09-29 01:42:49 +0000 )edit

I am on Windows 10. I have used both the program Notepad and Wordpad to try and edit the files.

mark.witbeck gravatar imagemark.witbeck ( 2020-09-29 03:35:04 +0000 )edit

I think it's a bug but haven't figured out when it came in or how.
The file formats are a mix of CR/LF and once Wireshark saves it out an extra CR gets added.

Do you have the option of editing with vi (vim) or Notepad++?
In vi, delete the extra ^M at the end of the lines.
In Notepad++, use Edit->EOL Conversion->Windows (CR LF) to fix the lines missing a LF.

Chuckc gravatar imageChuckc ( 2020-09-29 05:47:42 +0000 )edit

Where is this dfilters_sample.txt file?

cmaynard gravatar imagecmaynard ( 2020-09-29 13:59:13 +0000 )edit

In the Book Supplements

Chuckc gravatar imageChuckc ( 2020-09-29 14:15:06 +0000 )edit

I appended the dfilters_sampe.txt contents to the default dfilters file, and everything looks fine, but I am still using [a customized version of] 3.2.6. Is the problem resolved with 3.2.6? If so, then maybe some bug was introduced with 3.2.7.

cmaynard gravatar imagecmaynard ( 2020-09-29 14:37:28 +0000 )edit

It's Windows specific and after the default is read in and written back out to a dfilters in the profile directory.

Chuckc gravatar imageChuckc ( 2020-09-29 14:39:04 +0000 )edit

So I see the extra carriage return, but the steps to reproduce it seem to be:

  1. Copy/paste dfilters_sample.txt contents into the dfilters file and save it.
  2. Start Wireshark and navigate to "Analyze -> Display Filters" (The new filters should be there and appear as a hierarchy with all new filters indented under the "Wireshark 101 Book Sample Display Filters ..." filter.
  3. Click OK. This will cause the dfilters file to be re-written by Wireshark, which will only then introduce the extraneous carriage returns.

I've done this; however, after closing Wireshark and re-opening it again, the display filters still seem to be read just fine and are just as usable as before. If there's something else one needs to do to reproduce the problem, then I guess I'm missing it. (A Wireshark Issue should probably be opened so the extraneous carriage return can be fixed, but at ...(more)

cmaynard gravatar imagecmaynard ( 2020-09-29 14:54:28 +0000 )edit
see more comments