Lab 23 is not displaying as expected in the bookmark filters menu. Could it be because there is a difference with the new version of Wireshark?

asked 2020-09-29 01:03:49 +0000

mark.witbeck gravatar image

The dfilters_sample.txt when added to my personal dfilters in Wireshark the Lab shows that it should look like a multi-line output. I do not get that. I get a single line with the entire filter as one filter with no separation. Even the filter bar is red. I am not sure if this is because of the newer version of Wireshark compared to when the file was created. If something changed. I have tried a few things but I am not sure what I am missing. This is not hard to copy and paste. I am using the Wireshark Version 3.2.7 (v3.2.7-0-gfb6522d84a3a).


edit retag flag offensive close merge delete


What operating system are you working on and what program is being used to edit dfilters?

Chuckc gravatar imageChuckc ( 2020-09-29 01:42:49 +0000 )edit

I am on Windows 10. I have used both the program Notepad and Wordpad to try and edit the files.

mark.witbeck gravatar imagemark.witbeck ( 2020-09-29 03:35:04 +0000 )edit

I think it's a bug but haven't figured out when it came in or how.
The file formats are a mix of CR/LF and once Wireshark saves it out an extra CR gets added.

Do you have the option of editing with vi (vim) or Notepad++?
In vi, delete the extra ^M at the end of the lines.
In Notepad++, use Edit->EOL Conversion->Windows (CR LF) to fix the lines missing a LF.

Chuckc gravatar imageChuckc ( 2020-09-29 05:47:42 +0000 )edit

Where is this dfilters_sample.txt file?

cmaynard gravatar imagecmaynard ( 2020-09-29 13:59:13 +0000 )edit
Chuckc gravatar imageChuckc ( 2020-09-29 14:15:06 +0000 )edit

I appended the dfilters_sampe.txt contents to the default dfilters file, and everything looks fine, but I am still using [a customized version of] 3.2.6. Is the problem resolved with 3.2.6? If so, then maybe some bug was introduced with 3.2.7.

cmaynard gravatar imagecmaynard ( 2020-09-29 14:37:28 +0000 )edit

It's Windows specific and after the default is read in and written back out to a dfilters in the profile directory.

Chuckc gravatar imageChuckc ( 2020-09-29 14:39:04 +0000 )edit

So I see the extra carriage return, but the steps to reproduce it seem to be:

  1. Copy/paste dfilters_sample.txt contents into the dfilters file and save it.
  2. Start Wireshark and navigate to "Analyze -> Display Filters" (The new filters should be there and appear as a hierarchy with all new filters indented under the "Wireshark 101 Book Sample Display Filters ..." filter.
  3. Click OK. This will cause the dfilters file to be re-written by Wireshark, which will only then introduce the extraneous carriage returns.

I've done this; however, after closing Wireshark and re-opening it again, the display filters still seem to be read just fine and are just as usable as before. If there's something else one needs to do to reproduce the problem, then I guess I'm missing it. (A Wireshark Issue should probably be opened so the extraneous carriage return can be fixed, but at ...(more)

cmaynard gravatar imagecmaynard ( 2020-09-29 14:54:28 +0000 )edit

NOTE: You don't actually have to add any new display filters to see the extra carriage return added, as merely clicking OK in the Display Filters dialog will do that, regardless of whether you added any new filters or not.

cmaynard gravatar imagecmaynard ( 2020-09-29 15:00:44 +0000 )edit

It's was late and I got brain ache - tried fopen binary - didn't help. Behaves different on Linux.
In your step #1 above did you add it to the global dfilters file? It would work in that case.
It's when you want to add to a specific profile dfilters that the problem comes in.
So I think a bug but wanted to provide something more than "it's broke" before opening an issue.

Chuckc gravatar imageChuckc ( 2020-09-29 15:17:01 +0000 )edit

Yes, I was working with the global dfilters file. I repeated the process with a profile dfilters file, but the behavior is the same and it still works despite the extraneous carriage returns. Since my version of Wireshark is customized, perhaps there's another difference that allows it to work for me, such as the fact that I'm running Qt 5.15.0. For reference, here are my Version 3.2.6 details:

Compiled (64-bit) with Qt 5.15.0, with WinPcap SDK (WpdPack) 4.1.2, with GLib 2.52.3, with zlib 1.2.11, with SMI 0.4.8, with c-ares 1.15.0, with Lua 5.2.4, with GnuTLS 3.6.3 and PKCS #11 support, with Gcrypt 1.8.3, with MIT Kerberos, with MaxMind DB resolver 1.3.2, with nghttp2 1.39.2, with brotli, with LZ4, with Zstandard, with Snappy ...
cmaynard gravatar imagecmaynard ( 2020-09-29 15:29:13 +0000 )edit

It also depends on the editor. I can make it work with vi or Notepad++.
If you have steps to a good file using notepad then the original question could use that as an answer.

Chuckc gravatar imageChuckc ( 2020-09-29 15:33:14 +0000 )edit

Sorry, I was gone, I do have access to notepad++ and vi. I will try to add it there and see the results I get.

mark.witbeck gravatar imagemark.witbeck ( 2020-09-29 21:36:13 +0000 )edit

I got it to wok with Notpad++. I took advice from Chuckc about viewing the hidden characters. I saw a pattern with the CR(Carriage Return) and LF(Line Feed). I then matched how the rest of the file was set up. Which is a CR at the end of the line and then a CRLF on the blank line. It now looks like the book suggests.

I am not sure if this is a bug issue or not. From a normal user, you hit the enter key and expect to do what you need. I was unsure what the CR and LF meant so I looked that up and found this site that discussed how to find and replace the hidden characters (link below). I just replaced everything I needed to so that it looked the same as the previous lines.

Thanks for looking into this. Great ideas here ...(more)

mark.witbeck gravatar imagemark.witbeck ( 2020-09-29 21:58:49 +0000 )edit

Now I am not sure how to show that this is now answered.

mark.witbeck gravatar imagemark.witbeck ( 2020-09-29 22:00:03 +0000 )edit

Maybe one of the more senior members will see this and weigh in.
The comments above are a work around for your issue but still trying to resolve how things "should work". :-)

Chuckc gravatar imageChuckc ( 2020-09-29 22:24:30 +0000 )edit