Hi everyone,

I'm currently working on a dissector and I'd like to add my own color rule. It worked, but now, I'd like to change the foreground color that I've chosen. However, when I try to save with "Ok", an error message pops up telling me: "Your coloring rules file contains unknown rule. Wireshark doesn't recognize one or more of you coloring rules. They have been disabled."

I don't understand why it doesn't work. Even if I open the rules and close them just by clicking "Ok", the same message pops up, even if there isn't any modification. I also tried to remove all the rules, the message still appears.

Do you have any idea?

My suggestion would be to navigate to your "Personal configuration" directory (Help -> About Wireshark -> Folders -> Personal configuration) and rename your colorfilters file so that you can save a copy of it, e.g., colorfilters_save.

After that, navigate to the Wireshark installation directory and copy the default colorfilters file from there over to your "Personal configuration" directory, effectively replacing the old file.

At this point, you should be able to add your custom color filters either via Wireshark's GUI or by copying/pasting your custom entries from your saved file to the new file using any text editor.

Note: You will likely need to perform these steps for all of your profiles in which a colorfilters file exists.

Perfect, it works! I don't really understand what was the cause, but at least my issue is solved :).

(24 Jul '17, 12:14) MattJuillet

This is likely to have been due to a change in the coloring rules, this question has been asked mutiple times before, e.g. here, here and here.

Hi Grahamb,

I have consulted all these posts before sending my request and none of them seems to correspond to my issue: I don't have done any update recently, and I don't use any checksum (it doesn't work even if I remove all the rules). I think my problem is different.

Thank you for your help anyway!


(24 Jul '17, 08:16) MattJuillet

Had the EXACT same issue.

I found the issue 5 minutes ago on the first link grahamb posted.

Using the old legacy wireshark, I was able to delete the checksum coloring rules, which I was unable to do in the new client.


(25 Oct '17, 11:32) jerioux
