This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Your coloring rules files contains unknown rules

0

I am trying to import coloring rules and am getting the below message. I get it even if I just open the Color Rules and then click ok. I have uninstalled and reinstalled 2.2.3.

# DO NOT EDIT THIS FILE!  It was created by Wireshark
@Bad [email protected]@[0,0,0][65535,24383,24383]
@HSRP State [email protected] != 8 && hsrp.state != [email protected][0,0,0][65535,63222,0]
@Spanning Tree Topology  [email protected] == [email protected][0,0,0][65535,63222,0]
@OSPF State [email protected] != [email protected][0,0,0][65535,63222,0]
@ICMP [email protected] eq 3 || icmp.type eq 4 || icmp.type eq 5 || icmp.type eq [email protected][0,0,0][0,65535,3616]
@ARP@[email protected][55011,59486,65534][0,0,0]
@[email protected] == [email protected][59298,29237,56649][65535,0,7447]
@[email protected] [email protected][63286,31200,52717][0,2520,65535]
@[email protected] == [email protected][58500,29296,59223][62125,65535,0]
@[email protected] == [email protected][57584,30144,60069][830,59223,62187]
@[email protected] == [email protected][44822,29964,54978][17200,13142,28913]
@[email protected]@[49680,49737,65535][0,0,0]
@TCP [email protected] eq [email protected][37008,0,0][65535,63121,32911]
@TTL low or [email protected]( ! ip.dst == 224.0.0.0/4 && ip.ttl < 5) || (ip.dst == 224.0.0.0/24 && ip.ttl != 1)@[37008,0,0][65535,65535,65535]
@Checksum [email protected]_bad==1 || edp.checksum_bad==1 || ip.checksum_bad==1 || tcp.checksum_bad==1 || [email protected][0,0,0][65535,24383,24383]
@SMB@smb || nbss || nbns || nbipx || ipxsap || [email protected][65534,64008,39339][0,0,0]
!@HTTP@http || tcp.port == [email protected][36107,65535,32590][0,0,0]
@[email protected] || [email protected][65534,58325,58808][0,0,0]
@[email protected]@[51199,38706,65533][0,0,0]
@[email protected] || eigrp || ospf || bgp || cdp || vrrp || gvrp || igmp || [email protected][65534,62325,54808][0,0,0]
@TCP SYN/[email protected] & 0x02 || tcp.flags.fin == [email protected][41026,41026,41026][0,0,0]
!@TCP@[email protected][59345,58980,65534][0,0,0]
@[email protected][0] & [email protected][65535,65535,65535][32768,32768,32768]
@SIP@[email protected][8679,47786,45539][65535,65535,65535]
@[email protected] == [email protected][65535,58469,0][0,0,0]
@[email protected] == [email protected][17411,49149,14135][0,0,0]
@[email protected]_subtype == [email protected][32860,51685,33462][0,0,0]
@Probe [email protected](wlan.fc.type == 0)&&(wlan.fc.type_subtype == 0x04)@[65535,745,0][65535,65535,65535]
@Probe [email protected](wlan.fc.type == 0)&&(wlan.fc.type_subtype == 0x05)@[1135,5091,65457][65535,65535,65535]
@Association [email protected](wlan.fc.type == 0)&&(wlan.fc.type_subtype == 0x00)@[65535,20328,26521][0,0,0]
@Association [email protected](wlan.fc.type == 0)&&(wlan.fc.type_subtype == 0x01)@[25744,35378,65535][0,0,0]
@Reassociation [email protected](wlan.fc.type == 0)&&(wlan.fc.type_subtype == 0x02)@[58737,25181,28049][65535,65535,65535]
@Reassociation [email protected](wlan.fc.type == 0)&&(wlan.fc.type_subtype == 0x03)@[23146,26555,65535][65535,65535,65535]
@[email protected](((wlan_mgt.fixed.category_code == 3) && (wlan.fc.subtype == 13)) && (wlan.fc.type == 0)) && (wlan_mgt.fixed.action_code == 0x00)@[65535,5377,50013][4469,65016,33513]
@[email protected](((wlan_mgt.fixed.category_code == 3) && (wlan.fc.subtype == 13)) && (wlan.fc.type == 0)) && (wlan_mgt.fixed.action_code == 0x01)@[19534,0,65460][7629,62962,0]
@DELBA@(((wlan_mgt.fixed.category_code == 3) && (wlan.fc.subtype == 13)) && (wlan.fc.type == 0)) && (wlan_mgt.fixed.action_code == 0x02)@[59994,28015,65535][0,65535,19252]
@[email protected](wlan.fc.type == 0)&&(wlan.fc.type_subtype == 0x0a)@[45349,27600,53192][65535,65535,65535]
@[email protected](wlan.fc.type == 0)&&(wlan.fc.type_subtype == 0x0b)@[63650,40062,3190][65535,65535,65535]
@[email protected](wlan.fc.type == 0)&&(wlan.fc.type_subtype == 0x0c)@[41584,8104,60517][65535,65535,65535]
@[email protected](wlan.fc.type == 1)&&(wlan.fc.subtype == 13)@[41224,41224,41224][65535,65535,65535]
@BA@(wlan.fc.type == 1)&&(wlan.fc.subtype == 9)@[28539,28539,28539][6295,64536,20380]
@RTS@(wlan.fc.type == 1)&&(wlan.fc.type_subtype == 0x1b)@[65535,19692,60513][65535,65535,65535]
@CTS@(wlan.fc.type == 1)&&(wlan.fc.type_subtype == 0x1c)@[32246,41950,59666][65535,65535,65535]
@BA[email protected](wlan.fc.type == 1)&&(wlan.fc.subtype == 8)@[56345,14475,14475][3459,63994,5847]
@EAP[email protected] == [email protected][60001,52154,20255][0,0,0]
@[email protected](frame.len==123)&&(dtls.record.content_type == 23)@[65535,17398,9061][65535,65535,65535]
@[email protected](frame.len==139)&&(dtls.record.content_type == 23)@[61807,9941,13792][65535,65535,65535]
@[email protected] == [email protected][57187,10463,10463][65535,65535,65535]
@[email protected] == [email protected][13523,16943,55133][65535,65535,65535]
@[email protected] == [email protected][55275,27832,22311][63421,63421,63421]
@[email protected] == [email protected][26794,29275,61527][65535,65535,65535]
@[email protected] == [email protected][32707,34024,62580][0,0,0]
@SSL@[email protected][34759,54159,14084][13162,16349,50577]
@EAP[email protected] == [email protected][15565,55176,20562][0,15286,65535]
@[email protected]_type == [email protected][59450,53026,39912][0,0,0]
@[email protected] == [email protected][63892,65535,0][0,0,0]
@RA[email protected] == [email protected][59115,27561,27561][65535,65535,65535]
@EAP[email protected] == [email protected][59101,57982,19664][8927,17097,65535]
@[email protected](wlccp.eap_msg >= 03:00:00:00)&&(wlccp.eap_msg <= 03:ff:ff:ff)@[62660,64647,26467][11129,4881,64858]
@[email protected](wlccp.eap_msg >= 04:00:00:00)&&(wlccp.eap_msg <= 04:ff:ff:ff)@[57119,59605,19747][65535,16650,16650]
@[email protected]_message_type == [email protected][63521,54451,28424][53497,2525,2525]
@[email protected] == [email protected][65535,30802,40584][65535,65535,65535]
@802.1X [email protected] == [email protected][57285,23756,42474][65535,65535,65535]
@[email protected](wlan.fc.type == 2)&&(wlan.fc.subtype == 4)&&(wlan.fc.ds == 0x01) && (wlan.fc.pwrmgt == 1)@[65535,65535,65535][65535,35189,0]
@QoS [email protected](wlan.fc.type == 2)&&(wlan.fc.subtype == 12)&&(wlan.fc.ds == 0x01) && (wlan.fc.pwrmgt == 1)@[65535,65535,65535][65535,30095,0]
@STA->[email protected] == [email protected][65535,65535,65535][65535,0,2289]
@DS->[email protected] == [email protected][65535,65535,65535][0,11579,65535]
@[email protected] == [email protected][65535,65535,65535][33296,33296,33296]
@[email protected] == 01:0b:85:00:00:[email protected][25929,39861,41578][0,14630,65535]

asked 22 Dec '16, 11:11

coxdjustin's gravatar image

coxdjustin
6113
accept rate: 0%

edited 13 Jan '17, 09:39

grahamb's gravatar image

grahamb ♦
19.8k330206


One Answer:

1

There was a change in the filters used for checksum in Wireshark 2.2.0, and Wireshark is warning you that your colorfilters uses the old syntax.

The XXX.checksum_bad entries must be replaced by XXX.checksum.status=="Bad". See the colorfilters file found in Wireshark installation folder for an example.

answered 22 Dec '16, 11:37

Pascal%20Quantin's gravatar image

Pascal Quantin
5.5k1060
accept rate: 30%

edited 13 Jan '17, 09:39

grahamb's gravatar image

grahamb ♦
19.8k330206

I also get the same error even if i delete all the coloring rules from the coloring rules list and press OK. The only way i got it to work is to start the Wireshark Legacy gui. Delete all coloring rules. And click on Save when it pops up with an error. Now I am able to manually add rules but having issues importing color rules.

Version 2.2.3 (v2.2.2-0-g57531cd) Windows

(13 Jan '17, 09:18) faisalti