Coloring rules not working
Recently I tried to create a new coloring rule and it is not working anymore. If I go to View - Coloring Rules, just when I press "OK" (it dos not matter if I create or modify a rule or not) I get the error:
Your coloring rules file contains unknown rules. Wireshark doesn't recognize one or more of your coloring rules. They have been disabled.
This happens with any profile, the Classic one and my own. For example, the contents of the Classic profile are:
# DO NOT EDIT THIS FILE! It was created by Wireshark
@Bad [email protected] && !tcp.analysis.window_update@[0,0,0][65535,24383,24383]
@HSRP State [email protected] != 8 && hsrp.state != 16@[0,0,0][65535,63222,0]
@Spanning Tree Topology [email protected] == 0x80@[0,0,0][65535,63222,0]
@OSPF State [email protected] != 1@[0,0,0][65535,63222,0]
@ICMP [email protected] eq 3 || icmp.type eq 4 || icmp.type eq 5 || icmp.type eq 11 || icmpv6.type eq 1 || icmpv6.type eq 2 || icmpv6.type eq 3 || icmpv6.type eq 4@[0,0,0][0,65535,3616]
@ARP@arp@[55011,59486,65534][0,0,0]
@ICMP@icmp || icmpv6@[49680,49737,65535][0,0,0]
@TCP [email protected] eq 1@[37008,0,0][65535,63121,32911]
@SCTP [email protected]_type eq ABORT@[37008,0,0][65535,63121,32911]
@TTL low or unexpected@( ! ip.dst == 224.0.0.0/4 && ip.ttl < 5 && !pim) || (ip.dst == 224.0.0.0/24 && ip.dst != 224.0.0.251 && ip.ttl != 1 && !(vrrp || carp))@[42148,0,0][60652,61680,60395]
@Checksum [email protected]=="Bad" || edp.checksum.status=="Bad" || ip.checksum.status=="Bad" || tcp.checksum.status=="Bad" || udp.checksum.status=="Bad"|| sctp.checksum.status=="Bad" || mstp.checksum.status=="Bad"@[0,0,0][65535,24383,24383]
@SMB@smb || nbss || nbns || nbipx || ipxsap || netbios@[65534,64008,39339][0,0,0]
@HTTP@http || tcp.port == 80@[36107,65535,32590][0,0,0]
@IPX@ipx || spx@[65534,58325,58808][0,0,0]
@DCERPC@dcerpc@[51199,38706,65533][0,0,0]
@Routing@hsrp || eigrp || ospf || bgp || cdp || vrrp || carp || gvrp || igmp || ismp@[65534,62325,54808][0,0,0]
@TCP SYN/[email protected] & 0x02 || tcp.flags.fin == 1@[41026,41026,41026][0,0,0]
@TCP@tcp@[59345,58980,65534][0,0,0]
@UDP@udp@[28834,57427,65533][0,0,0]
@Broadcast@eth[0] & 1@[65535,65535,65535][32768,32768,32768]
I have read about new versions having broken old versions because of the Checksum strings, but I removed it and still have the problem. I have also click the minus sign to all rules except for the basic arp and I still get the error when I click OK. What can be happening?
Comments
Wireshark version?
Sorry, I wanted and I just forgot to add that: Version 2.4.4 (v2.4.4-0-g90a7be11a4)
I have updated to latest version 2.6 but now it doesn't even start. It is blocked at "Initializing external capture plugins"
Possibly one of the extcap plugins doesn't work well on your system.
Stop Wireshark and move the executables out of the wireshark install\extcap directory to somewhere safe. If Wireshark then starts correctly you can put the extcaps back one by one and restarting to find the culprit.
I have uninstalled everything, left USBcap uninstalled, reinstalled everything... didn't work. I repeated the process again and now it seems to work. I could add a new coloring rule. Not sure what happened but it seems fixed now. Thanks