Coloring rules not working

asked Jul 17 '18

wirefish gravatar image

Recently I tried to create a new coloring rule and it is not working anymore. If I go to View - Coloring Rules, just when I press "OK" (it dos not matter if I create or modify a rule or not) I get the error:

Your coloring rules file contains unknown rules. Wireshark doesn't recognize one or more of your coloring rules. They have been disabled.

This happens with any profile, the Classic one and my own. For example, the contents of the Classic profile are:

# DO NOT EDIT THIS FILE!  It was created by Wireshark
@Bad TCP@tcp.analysis.flags && !tcp.analysis.window_update@[0,0,0][65535,24383,24383]
@HSRP State Change@hsrp.state != 8 && hsrp.state != 16@[0,0,0][65535,63222,0]
@Spanning Tree Topology  Change@stp.type == 0x80@[0,0,0][65535,63222,0]
@OSPF State Change@ospf.msg != 1@[0,0,0][65535,63222,0]
@ICMP errors@icmp.type eq 3 || icmp.type eq 4 || icmp.type eq 5 || icmp.type eq 11 || icmpv6.type eq 1 || icmpv6.type eq 2 || icmpv6.type eq 3 || icmpv6.type eq 4@[0,0,0][0,65535,3616]
@ARP@arp@[55011,59486,65534][0,0,0]
@ICMP@icmp || icmpv6@[49680,49737,65535][0,0,0]
@TCP RST@tcp.flags.reset eq 1@[37008,0,0][65535,63121,32911]
@SCTP ABORT@sctp.chunk_type eq ABORT@[37008,0,0][65535,63121,32911]
@TTL low or unexpected@( ! ip.dst == 224.0.0.0/4 && ip.ttl < 5 && !pim) || (ip.dst == 224.0.0.0/24 && ip.dst != 224.0.0.251 && ip.ttl != 1 && !(vrrp || carp))@[42148,0,0][60652,61680,60395]
@Checksum Errors@cdp.checksum.status=="Bad" || edp.checksum.status=="Bad" || ip.checksum.status=="Bad" || tcp.checksum.status=="Bad" || udp.checksum.status=="Bad"|| sctp.checksum.status=="Bad" || mstp.checksum.status=="Bad"@[0,0,0][65535,24383,24383]
@SMB@smb || nbss || nbns || nbipx || ipxsap || netbios@[65534,64008,39339][0,0,0]
@HTTP@http || tcp.port == 80@[36107,65535,32590][0,0,0]
@IPX@ipx || spx@[65534,58325,58808][0,0,0]
@DCERPC@dcerpc@[51199,38706,65533][0,0,0]
@Routing@hsrp || eigrp || ospf || bgp || cdp || vrrp || carp || gvrp || igmp || ismp@[65534,62325,54808][0,0,0]
@TCP SYN/FIN@tcp.flags & 0x02 || tcp.flags.fin == 1@[41026,41026,41026][0,0,0]
@TCP@tcp@[59345,58980,65534][0,0,0]
@UDP@udp@[28834,57427,65533][0,0,0]
@Broadcast@eth[0] & 1@[65535,65535,65535][32768,32768,32768]

I have read about new versions having broken old versions because of the Checksum strings, but I removed it and still have the problem. I have also click the minus sign to all rules except for the basic arp and I still get the error when I click OK. What can be happening?

Preview: (hide)

Comments

Wireshark version?

grahamb gravatar imagegrahamb ( Jul 17 '18 )

Sorry, I wanted and I just forgot to add that: Version 2.4.4 (v2.4.4-0-g90a7be11a4)

wirefish gravatar imagewirefish ( Jul 17 '18 )

I have updated to latest version 2.6 but now it doesn't even start. It is blocked at "Initializing external capture plugins"

wirefish gravatar imagewirefish ( Jul 17 '18 )

Possibly one of the extcap plugins doesn't work well on your system.

Stop Wireshark and move the executables out of the wireshark install\extcap directory to somewhere safe. If Wireshark then starts correctly you can put the extcaps back one by one and restarting to find the culprit.

grahamb gravatar imagegrahamb ( Jul 17 '18 )

I have uninstalled everything, left USBcap uninstalled, reinstalled everything... didn't work. I repeated the process again and now it seems to work. I could add a new coloring rule. Not sure what happened but it seems fixed now. Thanks

wirefish gravatar imagewirefish ( Jul 17 '18 )