This is our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

I have spent a lot of time creating display filters to use in many environments. When updating to 2.2.2 all the 30-40 display filters are now gone! Anyone know where they are stored and are we able to back them up before doing an update? Very costly to lose all of my work.

asked 27 Dec '16, 13:58

drewcrewof2's gravatar image

drewcrewof2
1223
accept rate: 0%


What's your OS?

Display filters are in a file named dfilters that will usually be in your "Personal Configuration" directory. You can find the location of that directory from the Wireshark -> Help -> About dialog, on the Folders tab.

Normally that directory is not touched on an upgrade.

permanent link

answered 27 Dec '16, 16:26

grahamb's gravatar image

grahamb ♦
19.8k330206
accept rate: 22%

Is Win 7 Ultimate. Thanks for the tip, I have hours invested. The removal has happened on 2 dev systems now.

(28 Dec '16, 05:30) drewcrewof2

Answering my own question after investigating further. The drop down Display Filters are indeed in ( my system) C:\Users\DrewCrewOf2\AppData\Roaming\Wireshark\recent_common\

However in the latest file there it has be set to all "NUL" (zeros) 13K of them! So is now gone! I went to a Acronis backup done days before the update to WS 2.2.2 and it still has my 13 K of Display filters. Some shown here below, so something killed the recent_common file contents during update::

######## Recent display filters (latest last), cannot be altered through command line ########

recent.display_filter: skinny && !skinny.messageId == 192  && !skinny.messageId == 0 && !skinny.messageId == 0x00000100 && !skinny.messageId == 289 && !skinny.messageId == 148 && !skinny.messageId == 13 && !skinny.messageId == 277 && !skinny.messageId == 274 && !skinny.messageId == 288 && !skinny.messageId ==134 && !skinny.messageId == 35 && !skinny.messageId == 263
recent.display_filter: skinny && !skinny.messageId == 192  && !skinny.messageId == 0 && !skinny.messageId ==0x00000100 && !skinny.messageId == 289 && !skinny.messageId == 148 && !skinny.messageId ==13 && !skinny.messageId == 277 && !skinny.messageId == 274 && !skinny.messageId == 288 && !skinny.messageId == 134
recent.display_filter: skinny && !skinny.messageId ==192  && !skinny.messageId == 0 && !skinny.messageId ==0x00000100 && !skinny.messageId ==289 && !skinny.messageId ==148 && !skinny.messageId ==13 && !skinny.messageId ==277 && !skinny.messageId ==274 && !skinny.messageId ==288 && !skinny.messageId ==134
recent.display_filter: skinny && !skinny.messageId ==192  && !skinny.messageId == 0 && !skinny.messageId ==0x00000100 && !skinny.messageId ==289 && !skinny.messageId ==148 && !skinny.messageId ==13 && !skinny.messageId ==277 && !skinny.messageId ==274 && !skinny.messageId ==288
recent.display_filter: skinny && !skinny.messageId ==192  && !skinny.messageId == 0 && !skinny.messageId ==0x00000100 && !skinny.messageId ==289 && !skinny.messageId ==148 && !skinny.messageId ==13 && !skinny.messageId ==277 && !skinny.messageId ==274
recent.display_filter: skinny && !skinny.messageId ==192  && !skinny.messageId == 0 && !skinny.messageId ==0x00000100 && !skinny.messageId ==289 && !skinny.messageId ==148 && !skinny.messageId ==13 && !skinny.messageId ==277
recent.display_filter: skinny && !skinny.messageId ==192  && !skinny.messageId == 0 && !skinny.messageId ==0x00000100 && !skinny.messageId ==289 && !skinny.messageId ==148 && !skinny.messageId ==13
(28 Dec '16, 06:05) drewcrewof2

You have indicated that you found your display filters are in the file recent_common, this is not the list of saved display filters, this is the list of recently used display filters and is automatically overwritten on the exit of Wireshark.

The normal place to save display filters is in the dfilters file, using the dialog opened by Analyze -> Display Filters, where each display filter can also be named.

I can't see anything in the source or installer that would wipe out recent_common and a test update from 2.3.0 something to the latest master didn't remove my recent_common entries.

What version are you upgrading from?

(28 Dec '16, 07:46) grahamb ♦
Your answer
toggle preview

Follow this question

By Email:

Once you sign in you will be able to subscribe for any updates here

By RSS:

Answers

Answers and Comments

Markdown Basics

  • *italic* or _italic_
  • **bold** or __bold__
  • link:[text](http://url.com/ "title")
  • image?![alt text](/path/img.jpg "title")
  • numbered list: 1. Foo 2. Bar
  • to add a line break simply add two spaces to where you would like the new line to be.
  • basic HTML tags are also supported

Question tags:

×63
×42
×40
×1

question asked: 27 Dec '16, 13:58

question was seen: 859 times

last updated: 28 Dec '16, 07:46

p​o​w​e​r​e​d by O​S​Q​A