What are Protobuf Search Paths in Wireshark?

Protocol Buffers (Protobuf) are Google’s format for serializing structured data. Wireshark uses Protobuf Search Paths to locate custom .proto files and decode captured messages.

• Protobuf = compact, high-performance data format
• Wireshark decodes Protobuf via .proto files
• Search Paths specify where .proto Files are located
• Without paths, messages appear as raw bytes

Protocol Buffers in Wireshark

Protocol Buffers (Protobuf) are Google’s efficient method for serializing structured data, and Wireshark can decode these byte-stream messages using .proto files.

• Created by Google in 2007
• Efficient binary message format (“byte stream”)
• Used for protocol negotiation and data serialization
• Wireshark decodes Protobuf using .proto definitions
• Adopted by major companies and frameworks (Google, Facebook, Apple, Dropwizard, Thrift)

Protobuf Search Paths

Protobuf Search Paths are directories that Wireshark (and tshark) use to locate .proto files referenced in captured network traffic. If your capture contains Protobuf-encoded fields, Wireshark uses these search paths to:

• Find and load your .proto definitions
• Decode custom message types
• Display readable fields instead of raw bytes
• Enable display filters based on Protobuf fields

Without these paths, Protobuf traffic may appear as “Opaque Field” or undecoded binary.

You'll want to set your protobuf search paths value in your Wireshark preferences file (usually located at C:\Users\<username>\AppData\Local\Programs\Wireshark\).

The default value is “wiretap”, which uses the Wireshark binaries compiled with system libraries:    

 Wireshark –version …     

Protocol Buffers Version: 2.3.0     

Application Version: 1.10.1   

 Library Version: 2.3.0

Protobuf Search Paths are “key=value" pairs, separated by a semicolon and surrounded by quotes (e.g., “path=C:\Users\<username>\AppData\Local\MyProtoshare\").

Using Protobuf Search Paths With tshark

tshark is Wireshark’s command-line equivalent. It uses the same preference system, so you can specify Protobuf search paths using either:

1. A configuration file, or
2. The -o command-line override

Both methods work on headless servers where the GUI is unavailable.

Method 1: Override Protobuf Search Paths with -o

This is the simplest and most direct method:

 tshark -o "protobuf.search_paths: /path/to/protos:/more/paths" -r capture.pcap

Notes:

• Use colon (:) to separate multiple search paths
• No parentheses, no quotes around individual paths
• This format avoids the common "unexpected char '/'" error seen by users

Method 2: Supply a Custom Preferences File

Export your Wireshark preferences (or create a new file), then use:

tshark -C /path/to/preferences -r capture.pcap

Inside that file, have:

protobuf.search_paths: /your/proto/dir:/another/dir

This is ideal for automated environments, CI pipelines, or decoding large batch captures.

Features

• The “protobuf search paths” settings in Wireshark are broken by default. 
• The result is that Wireshark cannot find the files it needs to transfer data between itself and the remote protobuf server.  
• Here's how you can modify your Wireshark preferences file to take advantage of “protobuf search paths”.

Save and Run Preferences

• Close Wireshark on both sides and restart it for changes to take effect. (This program does not support Auto-Restart.) After Wireshark restarts, open the preferences file with a text editor such as Notepad++ or TextEdit.
• Look for the line with “protobuf search paths”.  Add a new line below it and copy and paste this text:
  protobuf search paths = ./wiretap;C:\Users\<username>\AppData\Local\MyProtoshare
• Save your preference file then restart Wireshark. Wireshark should now be able to find the location of the protobuf files it needs.