This is a static archive of our old Q&A Site. Please post any new questions and answers at

Impossible to edit the color rule


Hi everyone,

I'm currently working on a dissector and I'd like to add my own color rule. It worked, but now, I'd like to change the foreground color that I've chosen. However, when I try to save with "Ok", an error message pops up telling me: "Your coloring rules file contains unknown rule. Wireshark doesn't recognize one or more of you coloring rules. They have been disabled."

I don't understand why it doesn't work. Even if I open the rules and close them just by clicking "Ok", the same message pops up, even if there isn't any modification. I also tried to remove all the rules, the message still appears.

Do you have any idea?

Thanks in advance,


asked 24 Jul '17, 07:17

MattJuillet's gravatar image

accept rate: 0%

edited 24 Jul '17, 07:18

2 Answers:


My suggestion would be to navigate to your "Personal configuration" directory (Help -> About Wireshark -> Folders -> Personal configuration) and rename your colorfilters file so that you can save a copy of it, e.g., colorfilters_save.

After that, navigate to the Wireshark installation directory and copy the default colorfilters file from there over to your "Personal configuration" directory, effectively replacing the old file.

At this point, you should be able to add your custom color filters either via Wireshark's GUI or by copying/pasting your custom entries from your saved file to the new file using any text editor.

Note: You will likely need to perform these steps for all of your profiles in which a colorfilters file exists.

answered 24 Jul '17, 12:07

cmaynard's gravatar image

cmaynard ♦♦
accept rate: 20%


Perfect, it works! I don't really understand what was the cause, but at least my issue is solved :).

(24 Jul '17, 12:14) MattJuillet


This is likely to have been due to a change in the coloring rules, this question has been asked mutiple times before, e.g. here, here and here.

answered 24 Jul '17, 07:38

grahamb's gravatar image

grahamb ♦
accept rate: 22%

Hi Grahamb,

I have consulted all these posts before sending my request and none of them seems to correspond to my issue: I don't have done any update recently, and I don't use any checksum (it doesn't work even if I remove all the rules). I think my problem is different.

Thank you for your help anyway!


(24 Jul '17, 08:16) MattJuillet

Had the EXACT same issue.

I found the issue 5 minutes ago on the first link grahamb posted.

Using the old legacy wireshark, I was able to delete the checksum coloring rules, which I was unable to do in the new client.


(25 Oct '17, 11:32) jerioux