Protocol Buffers (Protobuf) are Google’s format for serializing structured data. Wireshark uses Protobuf Search Paths to locate custom .proto files and decode captured messages.
- Protobuf = compact, high-performance data format
- Wireshark decodes Protobuf via
.protofiles - Search Paths specify where
.protoFiles are located - Without paths, messages appear as raw bytes
Protocol Buffers in Wireshark
Protocol Buffers (Protobuf) are Google’s efficient method for serializing structured data, and Wireshark can decode these byte-stream messages using .proto files.
- Created by Google in 2007
- Efficient binary message format (“byte stream”)
- Used for protocol negotiation and data serialization
- Wireshark decodes Protobuf using
.protodefinitions - Adopted by major companies and frameworks (Google, Facebook, Apple, Dropwizard, Thrift)
Protobuf Search Paths
Protobuf Search Paths are directories that Wireshark (and tshark) use to locate .proto files referenced in captured network traffic. If your capture contains Protobuf-encoded fields, Wireshark uses these search paths to:
- Find and load your
.protodefinitions - Decode custom message types
- Display readable fields instead of raw bytes
- Enable display filters based on Protobuf fields
Without these paths, Protobuf traffic may appear as “Opaque Field” or undecoded binary.
You'll want to set your protobuf search paths value in your Wireshark preferences file (usually located at C:\Users\<username>\AppData\Local\Programs\Wireshark\).
The default value is “wiretap”, which uses the Wireshark binaries compiled with system libraries:
Wireshark –version …
Protocol Buffers Version: 2.3.0
Application Version: 1.10.1
Library Version: 2.3.0
Protobuf Search Paths are “key=value" pairs, separated by a semicolon and surrounded by quotes (e.g., “path=C:\Users\<username>\AppData\Local\MyProtoshare\").
Using Protobuf Search Paths With tshark
tshark is Wireshark’s command-line equivalent. It uses the same preference system, so you can specify Protobuf search paths using either:
- A configuration file, or
- The -o command-line override
Both methods work on headless servers where the GUI is unavailable.
Method 1: Override Protobuf Search Paths with -o
This is the simplest and most direct method:
tshark -o "protobuf.search_paths: /path/to/protos:/more/paths" -r capture.pcapNotes:
- Use colon (:) to separate multiple search paths
- No parentheses, no quotes around individual paths
- This format avoids the common "unexpected char '/'" error seen by users
Method 2: Supply a Custom Preferences File
Export your Wireshark preferences (or create a new file), then use:
tshark -C /path/to/preferences -r capture.pcapInside that file, have:
protobuf.search_paths: /your/proto/dir:/another/dirThis is ideal for automated environments, CI pipelines, or decoding large batch captures.
Features
- The “protobuf search paths” settings in Wireshark are broken by default.
- The result is that Wireshark cannot find the files it needs to transfer data between itself and the remote protobuf server.
- Here's how you can modify your Wireshark preferences file to take advantage of “protobuf search paths”.
Save and Run Preferences
- Close Wireshark on both sides and restart it for changes to take effect. (This program does not support Auto-Restart.) After Wireshark restarts, open the preferences file with a text editor such as Notepad++ or TextEdit.
- Look for the line with “protobuf search paths”. Add a new line below it and copy and paste this text:
protobuf search paths = ./wiretap;C:\Users\<username>\AppData\Local\MyProtoshare - Save your preference file then restart Wireshark. Wireshark should now be able to find the location of the protobuf files it needs.