| blob | 6d254c028d9b96692d441b7ec272c0d7b88d6d8b |
1 <!-- WSUG Appendix Files -->
2 <!-- $Id$ -->
4 <appendix id="AppFiles">
5 <title>Files and Folders</title>
7 <section id="ChAppFilesCaptureFilesSection"><title>Capture Files</title>
8 <para>
9 To understand which information will remain available after
10 the captured packets are saved to a capture file,
11 it's helpful to know a bit about the capture file contents.
12 </para>
13 <para>
14 Wireshark uses the libpcap file format as the default format to save
15 captured packets; this format has existed for a long time and it's pretty simple.
16 However, it has some drawbacks: it's not extensible and lacks some
17 information that would be really helpful (e.g. being able to add a comment
18 to a packet such as "the problems start here" would be really nice).
19 </para>
20 <para>
21 In addition to the libpcap format, Wireshark supports several different
22 capture file formats. However, the problems described above also applies
23 for these formats.
24 </para>
25 <para>
26 A new capture file format "PCAP Next Generation Dump File Format"
27 is currently under development, which will fix these drawbacks.
28 However, it still might take a while until the new file format is ready
29 and Wireshark can use it.
30 </para>
31 <section id="ChIOFileContentSection"><title>Libpcap File Contents</title>
32 <para>
33 At the start of each libpcap capture file some basic information is stored
34 like a magic number to identify the libpcap file format.
35 The most interesting information of this file start is the link layer type
36 (Ethernet, Token Ring, ...).
37 </para>
38 <para>
39 The following data is saved for each packet:
40 <itemizedlist>
41 <listitem>
42 <para>
43 the timestamp with millisecond resolution
44 </para>
45 </listitem>
46 <listitem>
47 <para>
48 the packet length as it was "on the wire"
49 </para>
50 </listitem>
51 <listitem>
52 <para>
53 the packet length as it's saved in the file
54 </para>
55 </listitem>
56 <listitem>
57 <para>
58 the packet's raw bytes
59 </para>
60 </listitem>
61 </itemizedlist>
62 A detailed description of the libpcap file format can be found at:
63 <ulink url="http://wiki.wireshark.org/Development/LibpcapFileFormat"/>
64 </para>
65 </section>
66 <section id="ChIOFileNotContentSection"><title>Not Saved in the Capture File</title>
67 <para>
68 Probably even more interesting for everyday Wireshark usage is to know
69 the things that are <command>not saved</command> in the capture file:
70 <itemizedlist>
71 <listitem>
72 <para>
73 current selections (selected packet, ...)
74 </para>
75 </listitem>
76 <listitem>
77 <para>
78 name resolution information, see <xref
79 linkend="ChAdvNameResolutionSection"/> for details
80 <warning><title>Warning!</title>
81 <para>
82 The name resolution information is rebuilt each time Wireshark is
83 restarted so this information might even change when the capture file
84 is reopened on the same machine later!
85 </para>
86 </warning>
87 </para>
88 </listitem>
89 <listitem>
90 <para>
91 the number of packets dropped while capturing
92 </para>
93 </listitem>
94 <listitem>
95 <para>
96 packet marks set with "Edit/Mark Packet"
97 </para>
98 </listitem>
99 <listitem>
100 <para>
101 time references set with "Edit/Time Reference"
102 </para>
103 </listitem>
104 <listitem>
105 <para>
106 the current display filter
107 </para>
108 </listitem>
109 <listitem>
110 <para>
111 ...
112 </para>
113 </listitem>
114 </itemizedlist>
115 </para>
116 </section>
117 </section>
119 <section id="ChAppFilesConfigurationSection"><title>Configuration Files and Folders</title>
120 <para>
121 Wireshark uses a number of files and folders while it is running. Some
122 of these reside in the personal configuration folder and are used to
123 maintain information between runs of Wireshark, while some of them are
124 maintained in system areas.
125 </para>
126 <tip><title>Tip</title>
127 <para>A list of the folders Wireshark actually uses can be found under the
128 <command>Folders</command> tab in the dialog box shown when you select
129 <command>About Wireshark</command> from the <command>Help</command> menu.
130 </para>
131 </tip>
132 <para>
133 The content format of the configuration files is the same on all platforms.
134 However, to match the different policies for Unix and Windows platforms,
135 different folders are used for these files.
136 </para>
137 <table id="AppFilesTabFolders" frame="none">
138 <title>Configuration files and folders overview</title>
139 <tgroup cols="4">
140 <colspec colnum="1" colwidth="72pt"/>
141 <colspec colnum="2" colwidth="80pt"/>
142 <colspec colnum="3" colwidth="80pt"/>
143 <thead>
144 <row>
145 <entry>File/Folder</entry>
146 <entry>Description</entry>
147 <entry>Unix/Linux folders</entry>
148 <entry>Windows folders</entry>
149 </row>
150 </thead>
151 <tbody>
152 <row>
153 <entry><command>preferences</command></entry>
154 <entry>Settings from the Preferences dialog box.</entry>
155 <entry>/etc/wireshark.conf, $HOME/.wireshark/preferences</entry>
156 <entry>%WIRESHARK%\wireshark.conf, %APPDATA%\Wireshark\preferences</entry>
157 </row>
158 <row>
159 <entry><command>recent</command></entry>
160 <entry>Recent GUI settings (e.g. recent files lists).</entry>
161 <entry>$HOME/.wireshark/recent</entry>
162 <entry>%APPDATA%\Wireshark\recent</entry>
163 </row>
164 <row>
165 <entry><command>cfilters</command></entry>
166 <entry>Capture filters.</entry>
167 <entry>$HOME/.wireshark/cfilters</entry>
168 <entry>%WIRESHARK%\cfilters, %APPDATA%\Wireshark\cfilters</entry>
169 </row>
170 <row>
171 <entry><command>dfilters</command></entry>
172 <entry>Display filters.</entry>
173 <entry>$HOME/.wireshark/dfilters</entry>
174 <entry>%WIRESHARK%\dfilters, %APPDATA%\Wireshark\dfilters</entry>
175 </row>
176 <row>
177 <entry><command>colorfilters</command></entry>
178 <entry>Coloring rules.</entry>
179 <entry>$HOME/.wireshark/colorfilters</entry>
180 <entry>%WIRESHARK%\colorfilters, %APPDATA%\Wireshark\colorfilters</entry>
181 </row>
182 <row>
183 <entry><command>disabled_protos</command></entry>
184 <entry>Disabled protocols.</entry>
185 <entry>$HOME/.wireshark/disabled_protos</entry>
186 <entry>%WIRESHARK%\disabled_protos, %APPDATA%\Wireshark\disabled_protos</entry>
187 </row>
188 <row>
189 <entry><command>ethers</command></entry>
190 <entry>Ethernet name resolution.</entry>
191 <entry>/etc/ethers, $HOME/.wireshark/ethers</entry>
192 <entry>%WIRESHARK%\ethers, %APPDATA%\Wireshark\ethers</entry>
193 </row>
194 <row>
195 <entry><command>manuf</command></entry>
196 <entry>Ethernet name resolution.</entry>
197 <entry>/etc/manuf, $HOME/.wireshark/manuf</entry>
198 <entry>%WIRESHARK%\manuf, %APPDATA%\Wireshark\manuf</entry>
199 </row>
200 <row>
201 <entry><command>hosts</command></entry>
202 <entry>IPv4 and IPv6 name resolution.</entry>
203 <entry>/etc/hosts, $HOME/.wireshark/hosts</entry>
204 <entry>%WIRESHARK%\hosts, %APPDATA%\Wireshark\hosts</entry>
205 </row>
206 <row>
207 <entry><command>services</command></entry>
208 <entry>Network services.</entry>
209 <entry>/etc/services, $HOME/.wireshark/services</entry>
210 <entry>%WIRESHARK%\services, %APPDATA%\Wireshark\services</entry>
211 </row>
212 <row>
213 <entry><command>subnets</command></entry>
214 <entry>IPv4 subnet name resolution.</entry>
215 <entry>/etc/subnets, $HOME/.wireshark/subnets</entry>
216 <entry>%WIRESHARK%\subnets, %APPDATA%\Wireshark\subnets</entry>
217 </row>
218 <row>
219 <entry><command>ipxnets</command></entry>
220 <entry>IPX name resolution.</entry>
221 <entry>/etc/ipxnets, $HOME/.wireshark/ipxnets</entry>
222 <entry>%WIRESHARK%\ipxnets, %APPDATA%\Wireshark\ipxnets</entry>
223 </row>
224 <row>
225 <entry><command>plugins</command></entry>
226 <entry>Plugin directories.</entry>
227 <entry>/usr/share/wireshark/plugins,
228 /usr/local/share/wireshark/plugins,
229 $HOME/.wireshark/plugins
230 </entry>
231 <entry>%WIRESHARK%\plugins\<version>,
232 %APPDATA%\Wireshark\plugins</entry>
233 </row>
234 <row>
235 <entry><command>temp</command></entry>
236 <entry>Temporary files.</entry>
237 <entry>Environment: TMPDIR</entry>
238 <entry>Environment: TMPDIR or TEMP</entry>
239 </row>
240 </tbody>
241 </tgroup>
242 </table>
243 <note><title>Windows folders</title>
244 <para>
245 %APPDATA% points to the personal configuration folder, e.g.:
246 <filename>C:\Documents and Settings\<username>\Application Data</filename>
247 (details can be found at: <xref linkend="ChWindowsProfiles"/>),
248 </para>
249 <para>
250 %WIRESHARK% points to the Wireshark program folder, e.g.:
251 <filename>C:\Program Files\Wireshark</filename>
252 </para>
253 </note>
254 <note><title>Unix/Linux folders</title>
255 <para>
256 The <filename>/etc</filename> folder is the global Wireshark configuration
257 folder. The folder actually used on your system
258 may vary, maybe something like: <filename>/usr/local/etc</filename>.
259 </para>
260 <para>
261 $HOME is usually something like: <filename>/home/<username></filename>
262 </para>
263 </note>
264 <para>
265 <variablelist>
266 <varlistentry>
267 <term><command>preferences/wireshark.conf</command></term>
268 <listitem>
269 <para>
270 This file contains your Wireshark preferences,
271 including defaults for capturing and displaying packets.
272 It is a simple text file containing statements of the form:
273 <programlisting>
274 variable: value
275 </programlisting>
276 The settings from this file are
277 read in at program start and written to disk when you press the
278 Save button in the "Preferences" dialog box.
279 </para>
280 </listitem>
281 </varlistentry>
282 <varlistentry>
283 <term><command>recent</command></term>
284 <listitem>
285 <para>
286 This file contains various GUI related settings like the main window
287 position and size, the recent files list and such.
288 It is a simple text file containing statements of the form:
289 <programlisting>
290 variable: value
291 </programlisting>
292 It is read at program start and written at program exit.
293 </para>
294 </listitem>
295 </varlistentry>
296 <varlistentry><term><command>cfilters</command></term>
297 <listitem>
298 <para>
299 This file contains all the capture filters that you have defined
300 and saved. It consists of one or more lines, where each
301 line has the following format:
302 <programlisting>
303 "<filter name>" <filter string>
304 </programlisting>
305 The settings from this file are read in at program start and written
306 to disk when you press the Save button in the "Capture Filters" dialog
307 box.
308 </para>
309 </listitem>
310 </varlistentry>
311 <varlistentry><term><command>dfilters</command></term>
312 <listitem>
313 <para>
314 This file contains all the display filters that you have defined
315 and saved. It consists of one or more lines, where each
316 line has the following format:
317 <programlisting>
318 "<filter name>" <filter string>
319 </programlisting>
320 The settings from this file are read in at program start and written
321 to disk when you press the Save button in the "Display Filters" dialog
322 box.
323 </para>
324 </listitem>
325 </varlistentry>
326 <varlistentry>
327 <term><command>colorfilters</command></term>
328 <listitem>
329 <para>
330 This file contains all the color filters that you have
331 defined and saved. It consists of one or more lines,
332 where each line has the following format:
333 <programlisting>
334 @<filter name>@<filter string>@[<bg RGB(16-bit)>][<fg RGB(16-bit)>]
335 </programlisting>
336 </para>
337 <para>
338 The settings from this file are read in at program start and written
339 to disk when you press the Save button in the "Coloring Rules" dialog
340 box.
341 </para>
342 </listitem>
343 </varlistentry>
344 <varlistentry>
345 <term><command>disabled_protos</command></term>
346 <listitem>
347 <para>
348 Each line in this file specifies a disabled protocol name. The
349 following are some examples:
350 <programlisting>
351 tcp
352 udp
353 </programlisting>
354 </para>
355 <para>
356 The settings from this file are read in at program start and written
357 to disk when you press the Save button in the "Enabled Protocols"
358 dialog box.
359 </para>
360 </listitem>
361 </varlistentry>
362 <varlistentry>
363 <term>
364 <command>ethers</command>
365 </term>
366 <listitem>
367 <para>
368 When Wireshark is trying to translate Ethernet hardware
369 addresses to names, it consults the files listed in
370 <xref linkend="AppFilesTabFolders"/>.
371 If an address is not found in /etc/ethers,
372 Wireshark looks in $HOME/.wireshark/ethers
373 </para>
374 <para>
375 Each line in these files consists of one hardware address and
376 name separated by whitespace. The digits of hardware
377 addresses are separated by colons (:), dashes (-) or
378 periods(.). The following are some examples:
379 <programlisting>
380 ff-ff-ff-ff-ff-ff Broadcast
381 c0-00-ff-ff-ff-ff TR_broadcast
382 00.2b.08.93.4b.a1 Freds_machine
383 </programlisting>
384 The settings from this file are read in at program start and never
385 written by Wireshark.
386 </para>
387 </listitem>
388 </varlistentry>
389 <varlistentry>
390 <term><command>manuf</command></term>
391 <listitem>
392 <para>
393 Wireshark uses the files listed in <xref linkend="AppFilesTabFolders"/>
394 to translate the first three bytes of an Ethernet address into a
395 manufacturers name. This file has the same format as the ethers
396 file, except addresses are three bytes long.
397 </para>
398 <para>
399 An example is:
400 <programlisting>
401 00:00:01 Xerox # XEROX CORPORATION
402 </programlisting>
403 </para>
404 <para>
405 The settings from this file are read in at program start and never
406 written by Wireshark.
407 </para>
408 </listitem>
409 </varlistentry>
410 <varlistentry>
411 <term><command>hosts</command></term>
412 <listitem>
413 <para>
414 Wireshark uses the files listed in <xref linkend="AppFilesTabFolders"/>
415 to translate IPv4 and IPv6 addresses into names.
416 </para>
417 <para>
418 This file has the same format as the usual /etc/hosts file on Unix systems.
419 </para>
420 <para>
421 An example is:
422 <programlisting>
423 # Comments must be prepended by the # sign!
424 192.168.0.1 homeserver
425 </programlisting>
426 </para>
427 <para>
428 The settings from this file are read in at program start and never
429 written by Wireshark.
430 </para>
431 </listitem>
432 </varlistentry>
433 <varlistentry>
434 <term><command>services</command></term>
435 <listitem>
436 <para>
437 Wireshark uses the files listed in <xref linkend="AppFilesTabFolders"/>
438 to translate port numbers into names.
439 </para>
440 <para>
441 An example is:
442 <programlisting>
443 mydns 5045/udp # My own Domain Name Server
444 mydns 5045/tcp # My own Domain Name Server
445 </programlisting>
446 </para>
447 <para>
448 The settings from this file are read in at program start and never
449 written by Wireshark.
450 </para>
451 </listitem>
452 </varlistentry>
453 <varlistentry>
454 <term><command>subnets</command></term>
455 <listitem>
456 <para>
457 Wireshark uses the files listed in <xref linkend="AppFilesTabFolders"/>
458 to translate an IPv4 address into a subnet name. If no exact match from the
459 hosts file or from DNS is found, Wireshark will attempt a partial match for the subnet
460 of the address.
461 </para>
462 <para>
463 Each line of this file consists of an IPv4 address, a subnet mask length separated
464 only by a '/' and a name separated by whitespace. While the address must be a full IPv4
465 address, any values beyond the mask length are subsequently ignored.
466 </para>
468 <para>
469 An example is:
470 <programlisting>
471 # Comments must be prepended by the # sign!
472 192.168.0.0/24 ws_test_network
473 </programlisting>
474 </para>
475 <para>
476 A partially matched name will be printed as "subnet-name.remaining-address". For example,
477 "192.168.0.1" under the subnet above would be printed as "ws_test_network.1"; if the mask length
478 above had been 16 rather than 24, the printed address would be "ws_test_network.0.1".
479 </para>
480 <para>
481 The settings from this file are read in at program start and never
482 written by Wireshark.
483 </para>
484 </listitem>
485 </varlistentry>
486 <varlistentry>
487 <term><command>ipxnets</command></term>
488 <listitem>
489 <para>
490 Wireshark uses the files listed in <xref linkend="AppFilesTabFolders"/>
491 to translate IPX network numbers into names.
492 </para>
493 <para>
494 An example is:
495 <programlisting>
496 C0.A8.2C.00 HR
497 c0-a8-1c-00 CEO
498 00:00:BE:EF IT_Server1
499 110f FileServer3
500 </programlisting>
501 </para>
502 <para>
503 The settings from this file are read in at program start and never
504 written by Wireshark.
505 </para>
506 </listitem>
507 </varlistentry>
508 <varlistentry>
509 <term><command>plugins</command> folder</term>
510 <listitem>
511 <para>
512 Wireshark searches for plugins in the directories listed in
513 <xref linkend="AppFilesTabFolders"/>.
514 They are searched in the order listed.
515 </para>
516 </listitem>
517 </varlistentry>
518 <varlistentry>
519 <term><command>temp</command> folder</term>
520 <listitem>
521 <para>
522 If you start a new capture and don't specify a filename for it,
523 Wireshark uses this directory to store that file; see
524 <xref linkend="ChCapCaptureFiles"/>.
525 </para>
526 </listitem>
527 </varlistentry>
528 </variablelist>
529 </para>
531 <section id="ChProtocolHelp"><title>Protocol help configuration</title>
532 <para>
533 Wireshark can use configuration files to create context-sensitive menu
534 items for protocol detail items which will load help URLs in your web
535 browser.
536 </para>
537 <para>
538 To create a protocol help file, create a folder named "protocol_help"
539 in either the personal or global configuration folders. Then create a
540 text file with the extension ".ini" in the "protocol_help" folder. The
541 file must contain key-value pairs with the following sections:
542 <variablelist>
543 <varlistentry>
544 <term>[database]</term>
545 <listitem>
546 <para>
547 Mandatory. This contains initialization information for the
548 help file. The following keys must be defined:
549 <variablelist>
550 <varlistentry>
551 <term>source</term>
552 <listitem><para>Source name, e.g. "HyperGlobalMegaMart".</para></listitem>
553 </varlistentry>
554 <varlistentry>
555 <term>version</term>
556 <listitem><para>Must be "1".</para></listitem>
557 </varlistentry>
558 <varlistentry>
559 <term>location</term>
560 <listitem>
561 <para>
562 General URL for help items. Variables can be substituted using
563 the [location data] section below.
564 </para>
565 </listitem>
566 </varlistentry>
567 </variablelist>
568 </para>
569 </listitem>
570 </varlistentry>
572 <varlistentry>
573 <term>[location data]</term>
574 <listitem>
575 <para>
576 Optional. Contains keys that will be used for variable
577 substitution in the "location" value. For example, if
578 the database section contains
579 <programlisting>
580 location = http://www.example.com/proto?cookie=${cookie}&path=${PATH}
581 </programlisting>
582 then setting
583 <programlisting>
584 cookie = anonymous-user-1138
585 </programlisting>
586 will result in the URL
587 "http://www.example.com/proto?cookie=anonymous-user-1138&path=${PATH}".
588 PATH is used for help path substitution, and shouldn't be defined in this section.
589 </para>
590 </listitem>
591 </varlistentry>
593 <varlistentry>
594 <term>[map]</term>
595 <listitem>
596 <para>
597 Maps Wireshark protocol names to section names below. Each key
598 MUST match a valid protocol name such as "ip". Each value MUST
599 have a matching section defined in the configuration file.
600 </para>
601 </listitem>
602 </varlistentry>
604 </variablelist>
606 Each protocol section must contain an "_OVERVIEW" key which will be used
607 as the first menu item for the help source. Subsequent keys must match
608 descriptions in the protocol detail. Values will be used as the ${PATH}
609 variable in the location template. If ${PATH} isn't present in the location
610 template the value will be appended to the location.
611 </para>
613 <para>
614 Suppose the file
615 <filename>C:\Users\sam.clemens\AppData\Roaming\Wireshark\protocol_help\wikipedia.ini</filename>
616 contains the following:
618 <programlisting>
619 # Wikipedia (en) protocol help file.
621 # Help file initialization
622 # source: The source of the help information, e.g. "Inacon" or "Wikipedia"
623 # version: Currently unused. Must be "1".
624 # url_template: Template for generated URLs. See "URL Data" below.
625 [database]
626 source=Wikipedia
627 version=1
628 url_template=http://${language}.wikipedia.org/wiki/${PATH}
630 # Substitution data for the location template.
631 # Each occurence of the keys below in the location template will be
632 # substituted with their corresponding values. For example, "${license}"
633 # in the URL template above will be replaced with the value of "license"
634 # below.
635 #
636 # PATH is reserved for the help paths below; do not specify it here.
637 [location data]
638 language = en
640 # Maps Wireshark protocol names to section names below. Each key MUST match
641 # a valid protocol name. Each value MUST have a matching section below.
642 [map]
643 tcp=TCP
645 # Mapped protocol sections.
646 # Keys must match protocol detail items descriptions.
647 [TCP]
648 _OVERVIEW=Transmission_Control_Protocol
649 Destination port=Transmission_Control_Protocol#TCP_ports
650 Source port=Transmission_Control_Protocol#TCP_ports
651 </programlisting>
652 Right-clicking on a TCP protocol detail item will display a help menu
653 item that displays the Wikipedia page for TCP. Right-clicking on the
654 TCP destination or source ports will display additional help menu items that
655 take you to the "TCP ports" section of the page.
656 </para>
658 <para>
659 The [location data] and ${PATH} can be omitted if they are not needed.
660 For example, the following configuration is functionally equivalent to
661 the previous configuration:
662 <programlisting>
663 [database]
664 source=Wikipedia
665 version=1
666 location=http://en.wikipedia.org/wiki/
668 [map]
669 tcp=TCP
671 [TCP]
672 _OVERVIEW=Transmission_Control_Protocol
673 Destination port=Transmission_Control_Protocol#TCP_ports
674 Source port=Transmission_Control_Protocol#TCP_ports
675 </programlisting>
676 </para>
677 </section>
679 </section>
681 <section id="ChWindowsFolder"><title>Windows folders</title>
682 <para>
683 Here you will find some details about the folders used in Wireshark
684 on different Windows versions.
685 </para>
686 <para>
687 As already mentioned, you can find the currently used folders in the
688 <command>About Wireshark</command> dialog.
689 </para>
691 <section id="ChWindowsProfiles"><title>Windows profiles</title>
692 <para>
693 Windows uses some special directories to store user configuration files
694 which define the "user profile". This can be confusing, as the default directory location
695 changed from Windows version to version and might also be different for English
696 and internationalized versions of Windows.
697 </para>
698 <note><title>Note!</title>
699 <para>
700 If you've upgraded to a new Windows version, your profile might
701 be kept in the former location, so the defaults mentioned here might not
702 apply.
703 </para>
704 </note>
705 <para>
706 The following guides
707 you to the right place where to look for Wireshark's profile data.
708 </para>
709 <para>
710 <variablelist>
711 <varlistentry>
712 <term><application>Windows 7</application>, <application>Windows Vista</application></term>
713 <listitem>
714 <para>
715 <filename>C:\Users\<username>\AppData\Roaming\Wireshark</filename>
716 </para>
717 </listitem>
718 </varlistentry>
720 <varlistentry>
721 <term><application>Windows XP</application></term>
722 <listitem>
723 <para>
724 <filename>C:\Documents and Settings\<username>\Application Data</filename>,
725 "Documents and Settings" and "Application Data" might be internationalized.
726 </para>
727 </listitem>
728 </varlistentry>
730 <varlistentry>
731 <term><application>Windows 2000</application> (no longer supported by Wireshark, for historical reference only)</term>
732 <listitem>
733 <para>
734 <filename>C:\Documents and Settings\<username>\Application Data</filename>,
735 "Documents and Settings" and "Application Data" might be internationalized.
736 </para>
737 </listitem>
738 </varlistentry>
740 <varlistentry>
741 <term><application>Windows NT 4</application> (no longer supported, for historical reference only)</term>
742 <listitem>
743 <para>
744 <filename>C:\WINNT\Profiles\<username>\Application Data\Wireshark</filename>
745 </para>
746 </listitem>
747 </varlistentry>
748 <varlistentry>
749 <term><application>Windows ME</application>, <application>Windows 98</application> with user profiles (no longer supported, for historical reference only)</term>
750 <listitem>
751 <para>
752 In Windows ME and 98 you can enable separate user profiles. In that case,
753 something like
754 <filename>C:\windows\Profiles\<username>\Application Data\Wireshark</filename>
755 is used.
756 </para>
757 </listitem>
758 </varlistentry>
759 <varlistentry>
760 <term><application>Windows ME</application>, <application>Windows 98</application> without user profiles (no longer supported, for historical reference only)</term>
761 <listitem>
762 <para>
763 Without user profiles enabled the default location for all users is
764 <filename>C:\windows\Application Data\Wireshark</filename>
765 </para>
766 </listitem>
767 </varlistentry>
768 </variablelist>
769 </para>
770 </section>
772 <section id="ChWindowsRoamingProfiles">
773 <title>Windows 7, Vista, XP, 2000, and NT roaming profiles</title>
774 <para>
775 The following will only be applicable if you are using roaming profiles.
776 This might be the case, if you work in a Windows domain environment
777 (used in company networks). The configurations of all
778 programs you use won't be saved on the local hard drive of the computer
779 you are currently working on, but on the domain server.
780 </para>
781 <para>
782 As Wireshark is using the correct places to store its profile data,
783 your settings will travel with you, if you logon to a different computer
784 the next time.
785 </para>
786 <para>
787 There is an exception to this: The "Local Settings" folder in your profile
788 data (typically something like:
789 <filename>C:\Documents and Settings\<username>\Local Settings</filename>)
790 will not be transferred to the domain server. This is the default for
791 temporary capture files.
792 </para>
793 </section>
795 <section id="ChWindowsTempFolder">
796 <title>Windows temporary folder</title>
797 <para>
798 Wireshark uses the folder which is set by the TMPDIR or TEMP environment
799 variable. This variable will be set by the Windows installer.
800 </para>
801 <para>
802 <variablelist>
803 <varlistentry>
804 <term><application>Windows 7</application>, <application>Windows Vista</application></term>
805 <listitem>
806 <para>
807 <filename>C:\Users\<username>\AppData\Local\Temp</filename>
808 </para>
809 </listitem>
810 </varlistentry>
811 <varlistentry>
812 <term><application>Windows XP</application>, <application>Windows 2000</application></term>
813 <listitem>
814 <para>
815 <filename>C:\Documents and Settings\<username>\Local Settings\Temp</filename>
816 </para>
817 </listitem>
818 </varlistentry>
819 <varlistentry>
820 <term><application>Windows NT</application></term>
821 <listitem>
822 <para>
823 <filename>C:\TEMP</filename>
824 </para>
825 </listitem>
826 </varlistentry>
827 </variablelist>
828 </para>
829 </section>
831 </section>
833 </appendix>
834 <!-- End of WSUG Appendix Files -->