This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Stored Display filters deleted when updating WS Version

0

I have spent a lot of time creating display filters to use in many environments. When updating to 2.2.2 all the 30-40 display filters are now gone! Anyone know where they are stored and are we able to back them up before doing an update? Very costly to lose all of my work.

asked 27 Dec '16, 13:58

drewcrewof2's gravatar image

drewcrewof2
1223
accept rate: 0%


One Answer:

0

What's your OS?

Display filters are in a file named dfilters that will usually be in your "Personal Configuration" directory. You can find the location of that directory from the Wireshark -> Help -> About dialog, on the Folders tab.

Normally that directory is not touched on an upgrade.

answered 27 Dec '16, 16:26

grahamb's gravatar image

grahamb ♦
19.8k330206
accept rate: 22%

Is Win 7 Ultimate. Thanks for the tip, I have hours invested. The removal has happened on 2 dev systems now.

(28 Dec '16, 05:30) drewcrewof2

Answering my own question after investigating further. The drop down Display Filters are indeed in ( my system) C:\Users\DrewCrewOf2\AppData\Roaming\Wireshark\recent_common\

However in the latest file there it has be set to all "NUL" (zeros) 13K of them! So is now gone! I went to a Acronis backup done days before the update to WS 2.2.2 and it still has my 13 K of Display filters. Some shown here below, so something killed the recent_common file contents during update::

######## Recent display filters (latest last), cannot be altered through command line ########

recent.display_filter: skinny && !skinny.messageId == 192 && !skinny.messageId == 0 && !skinny.messageId == 0x00000100 && !skinny.messageId == 289 && !skinny.messageId == 148 && !skinny.messageId == 13 && !skinny.messageId == 277 && !skinny.messageId == 274 && !skinny.messageId == 288 && !skinny.messageId ==134 && !skinny.messageId == 35 && !skinny.messageId == 263 recent.display_filter: skinny && !skinny.messageId == 192 && !skinny.messageId == 0 && !skinny.messageId ==0x00000100 && !skinny.messageId == 289 && !skinny.messageId == 148 && !skinny.messageId ==13 && !skinny.messageId == 277 && !skinny.messageId == 274 && !skinny.messageId == 288 && !skinny.messageId == 134 recent.display_filter: skinny && !skinny.messageId ==192 && !skinny.messageId == 0 && !skinny.messageId ==0x00000100 && !skinny.messageId ==289 && !skinny.messageId ==148 && !skinny.messageId ==13 && !skinny.messageId ==277 && !skinny.messageId ==274 && !skinny.messageId ==288 && !skinny.messageId ==134 recent.display_filter: skinny && !skinny.messageId ==192 && !skinny.messageId == 0 && !skinny.messageId ==0x00000100 && !skinny.messageId ==289 && !skinny.messageId ==148 && !skinny.messageId ==13 && !skinny.messageId ==277 && !skinny.messageId ==274 && !skinny.messageId ==288 recent.display_filter: skinny && !skinny.messageId ==192 && !skinny.messageId == 0 && !skinny.messageId ==0x00000100 && !skinny.messageId ==289 && !skinny.messageId ==148 && !skinny.messageId ==13 && !skinny.messageId ==277 && !skinny.messageId ==274 recent.display_filter: skinny && !skinny.messageId ==192 && !skinny.messageId == 0 && !skinny.messageId ==0x00000100 && !skinny.messageId ==289 && !skinny.messageId ==148 && !skinny.messageId ==13 && !skinny.messageId ==277 recent.display_filter: skinny && !skinny.messageId ==192 && !skinny.messageId == 0 && !skinny.messageId ==0x00000100 && !skinny.messageId ==289 && !skinny.messageId ==148 && !skinny.messageId ==13

(28 Dec ‘16, 06:05) drewcrewof2

You have indicated that you found your display filters are in the file recent_common, this is not the list of saved display filters, this is the list of recently used display filters and is automatically overwritten on the exit of Wireshark.

The normal place to save display filters is in the dfilters file, using the dialog opened by Analyze -> Display Filters, where each display filter can also be named.

I can’t see anything in the source or installer that would wipe out recent_common and a test update from 2.3.0 something to the latest master didn’t remove my recent_common entries.

What version are you upgrading from?

(28 Dec ‘16, 07:46) grahamb ♦