Ask Your Question

Revision history [back]

click to hide/show revision 1
initial version

Coloring rules not working

Recently I tried to create a new coloring rule and it is not working anymore. If I go to View - Coloring Rules, just when I press "OK" (it dos not matter if I create or modify a rule or not) I get the error:

Your coloring rules file contains unknown rules. Wireshark doesn't recognize one or more of your coloring rules. They have been disabled.

This happens with any profile, the Classic one and my own. For example, the contents of the Classic profile are:

# DO NOT EDIT THIS FILE!  It was created by Wireshark
@Bad [email protected] && [email protected][0,0,0][65535,24383,24383]
@HSRP State [email protected] != 8 && hsrp.state != [email protected][0,0,0][65535,63222,0]
@Spanning Tree Topology  [email protected] == [email protected][0,0,0][65535,63222,0]
@OSPF State [email protected] != [email protected][0,0,0][65535,63222,0]
@ICMP [email protected] eq 3 || icmp.type eq 4 || icmp.type eq 5 || icmp.type eq 11 || icmpv6.type eq 1 || icmpv6.type eq 2 || icmpv6.type eq 3 || icmpv6.type eq [email protected][0,0,0][0,65535,3616]
@[email protected]@[55011,59486,65534][0,0,0]
@[email protected] || [email protected][49680,49737,65535][0,0,0]
@TCP [email protected] eq [email protected][37008,0,0][65535,63121,32911]
@SCTP [email protected]_type eq [email protected][37008,0,0][65535,63121,32911]
@TTL low or [email protected]( ! ip.dst == 224.0.0.0/4 && ip.ttl < 5 && !pim) || (ip.dst == 224.0.0.0/24 && ip.dst != 224.0.0.251 && ip.ttl != 1 && !(vrrp || carp))@[42148,0,0][60652,61680,60395]
@Checksum [email protected]=="Bad" || edp.checksum.status=="Bad" || ip.checksum.status=="Bad" || tcp.checksum.status=="Bad" || udp.checksum.status=="Bad"|| sctp.checksum.status=="Bad" || mstp.checksum.status=="Bad"@[0,0,0][65535,24383,24383]
@[email protected] || nbss || nbns || nbipx || ipxsap || [email protected][65534,64008,39339][0,0,0]
@[email protected] || tcp.port == [email protected][36107,65535,32590][0,0,0]
@[email protected] || [email protected][65534,58325,58808][0,0,0]
@[email protected]@[51199,38706,65533][0,0,0]
@[email protected] || eigrp || ospf || bgp || cdp || vrrp || carp || gvrp || igmp || [email protected][65534,62325,54808][0,0,0]
@TCP SYN/[email protected] & 0x02 || tcp.flags.fin == [email protected][41026,41026,41026][0,0,0]
@[email protected]@[59345,58980,65534][0,0,0]
@[email protected]@[28834,57427,65533][0,0,0]
@[email protected][0] & [email protected][65535,65535,65535][32768,32768,32768]

I have read about new versions having broken old versions because of the Checksum strings, but I removed it and still have the problem. I have also click the minus sign to all rules except for the basic arp and I still get the error when I click OK. What can be happening?