Coloring rules not working

asked 2018-07-17 11:07:02 +0000

wirefish gravatar image

Recently I tried to create a new coloring rule and it is not working anymore. If I go to View - Coloring Rules, just when I press "OK" (it dos not matter if I create or modify a rule or not) I get the error:

Your coloring rules file contains unknown rules. Wireshark doesn't recognize one or more of your coloring rules. They have been disabled.

This happens with any profile, the Classic one and my own. For example, the contents of the Classic profile are:

# DO NOT EDIT THIS FILE!  It was created by Wireshark
@Bad [email protected] && !tcp.analysis.window_update@[0,0,0][65535,24383,24383]
@HSRP State [email protected] != 8 && hsrp.state != 16@[0,0,0][65535,63222,0]
@Spanning Tree Topology  [email protected] == 0x80@[0,0,0][65535,63222,0]
@OSPF State [email protected] != 1@[0,0,0][65535,63222,0]
@ICMP [email protected] eq 3 || icmp.type eq 4 || icmp.type eq 5 || icmp.type eq 11 || icmpv6.type eq 1 || icmpv6.type eq 2 || icmpv6.type eq 3 || icmpv6.type eq 4@[0,0,0][0,65535,3616]
@ICMP@icmp || icmpv6@[49680,49737,65535][0,0,0]
@TCP [email protected] eq 1@[37008,0,0][65535,63121,32911]
@SCTP [email protected]_type eq ABORT@[37008,0,0][65535,63121,32911]
@TTL low or unexpected@( ! ip.dst == && ip.ttl < 5 && !pim) || (ip.dst == && ip.dst != && ip.ttl != 1 && !(vrrp || carp))@[42148,0,0][60652,61680,60395]
@Checksum [email protected]=="Bad" || edp.checksum.status=="Bad" || ip.checksum.status=="Bad" || tcp.checksum.status=="Bad" || udp.checksum.status=="Bad"|| sctp.checksum.status=="Bad" || mstp.checksum.status=="Bad"@[0,0,0][65535,24383,24383]
@SMB@smb || nbss || nbns || nbipx || ipxsap || netbios@[65534,64008,39339][0,0,0]
@HTTP@http || tcp.port == 80@[36107,65535,32590][0,0,0]
@IPX@ipx || spx@[65534,58325,58808][0,0,0]
@Routing@hsrp || eigrp || ospf || bgp || cdp || vrrp || carp || gvrp || igmp || ismp@[65534,62325,54808][0,0,0]
@TCP SYN/[email protected] & 0x02 || tcp.flags.fin == 1@[41026,41026,41026][0,0,0]
@Broadcast@eth[0] & 1@[65535,65535,65535][32768,32768,32768]

I have read about new versions having broken old versions because of the Checksum strings, but I removed it and still have the problem. I have also click the minus sign to all rules except for the basic arp and I still get the error when I click OK. What can be happening?

edit retag flag offensive close merge delete


Wireshark version?

grahamb gravatar imagegrahamb ( 2018-07-17 11:15:09 +0000 )edit

Sorry, I wanted and I just forgot to add that: Version 2.4.4 (v2.4.4-0-g90a7be11a4)

wirefish gravatar imagewirefish ( 2018-07-17 11:26:09 +0000 )edit

I have updated to latest version 2.6 but now it doesn't even start. It is blocked at "Initializing external capture plugins"

wirefish gravatar imagewirefish ( 2018-07-17 13:32:20 +0000 )edit

Possibly one of the extcap plugins doesn't work well on your system.

Stop Wireshark and move the executables out of the wireshark install\extcap directory to somewhere safe. If Wireshark then starts correctly you can put the extcaps back one by one and restarting to find the culprit.

grahamb gravatar imagegrahamb ( 2018-07-17 14:36:01 +0000 )edit

I have uninstalled everything, left USBcap uninstalled, reinstalled everything... didn't work. I repeated the process again and now it seems to work. I could add a new coloring rule. Not sure what happened but it seems fixed now. Thanks

wirefish gravatar imagewirefish ( 2018-07-17 15:24:13 +0000 )edit