Ask Your Question

Revision history [back]

click to hide/show revision 1
initial version

asked 2018-07-17 11:07:02 +0000

wirefish gravatar image

Coloring rules not working

Recently I tried to create a new coloring rule and it is not working anymore. If I go to View - Coloring Rules, just when I press "OK" (it dos not matter if I create or modify a rule or not) I get the error:

Your coloring rules file contains unknown rules. Wireshark doesn't recognize one or more of your coloring rules. They have been disabled.

This happens with any profile, the Classic one and my own. For example, the contents of the Classic profile are:

# DO NOT EDIT THIS FILE!  It was created by Wireshark
@Bad [email protected] && !tcp.analysis.window_update@[0,0,0][65535,24383,24383]
@HSRP State [email protected] != 8 && hsrp.state != 16@[0,0,0][65535,63222,0]
@Spanning Tree Topology  [email protected] == 0x80@[0,0,0][65535,63222,0]
@OSPF State [email protected] != 1@[0,0,0][65535,63222,0]
@ICMP [email protected] eq 3 || icmp.type eq 4 || icmp.type eq 5 || icmp.type eq 11 || icmpv6.type eq 1 || icmpv6.type eq 2 || icmpv6.type eq 3 || icmpv6.type eq 4@[0,0,0][0,65535,3616]
@ARP@arp@[55011,59486,65534][0,0,0]
@ICMP@icmp || icmpv6@[49680,49737,65535][0,0,0]
@TCP [email protected] eq 1@[37008,0,0][65535,63121,32911]
@SCTP [email protected]_type eq ABORT@[37008,0,0][65535,63121,32911]
@TTL low or unexpected@( ! ip.dst == 224.0.0.0/4 && ip.ttl < 5 && !pim) || (ip.dst == 224.0.0.0/24 && ip.dst != 224.0.0.251 && ip.ttl != 1 && !(vrrp || carp))@[42148,0,0][60652,61680,60395]
@Checksum [email protected]=="Bad" || edp.checksum.status=="Bad" || ip.checksum.status=="Bad" || tcp.checksum.status=="Bad" || udp.checksum.status=="Bad"|| sctp.checksum.status=="Bad" || mstp.checksum.status=="Bad"@[0,0,0][65535,24383,24383]
@SMB@smb || nbss || nbns || nbipx || ipxsap || netbios@[65534,64008,39339][0,0,0]
@HTTP@http || tcp.port == 80@[36107,65535,32590][0,0,0]
@IPX@ipx || spx@[65534,58325,58808][0,0,0]
@DCERPC@dcerpc@[51199,38706,65533][0,0,0]
@Routing@hsrp || eigrp || ospf || bgp || cdp || vrrp || carp || gvrp || igmp || ismp@[65534,62325,54808][0,0,0]
@TCP SYN/[email protected] & 0x02 || tcp.flags.fin == 1@[41026,41026,41026][0,0,0]
@TCP@tcp@[59345,58980,65534][0,0,0]
@UDP@udp@[28834,57427,65533][0,0,0]
@Broadcast@eth[0] & 1@[65535,65535,65535][32768,32768,32768]

I have read about new versions having broken old versions because of the Checksum strings, but I removed it and still have the problem. I have also click the minus sign to all rules except for the basic arp and I still get the error when I click OK. What can be happening?

Copyright Wireshark Foundation, 2017-2023 Content on this site is licensed under a Creative Commons Attribution Share Alike 3.0 license.
about | faq | help | privacy policy | terms of service
Powered by Askbot version 0.10.2