A very useful mechanism available in Wireshark is packet colorization.
You can set-up Wireshark so that it will colorize packets according to a
filter. This allows you to emphasize the packets you are (usually)
interested in.
There are two types of coloring rules in Wireshark. Temporary ones that are
only used until you quit the program. And permanent ones that will be saved to
a preference file so that they are available on a next session.
Temporary coloring rules can be added by selecting a packet and pressing
the <ctrl> key together with one of the number keys. This will
create a coloring rule based on the currently selected conversation. It will
try to create a conversation filter based on TCP first, then UDP, then IP
and at last Ethernet. Temporary filters can also be created by selecting
the "Colorize with Filter > Color X" menu items when rightclicking in the
packet-detail pane.
To permanently colorize packets, select the
Coloring Rules...
menu item from
the
View
menu; Wireshark will pop up the "Coloring Rules"
dialog box as shown in Figure 9.1, “The "Coloring Rules" dialog box”.
Once the Coloring Rules dialog box is up, there are a number
of buttons you can use, depending on whether or not you have any
color filters installed already.
|
Note! |
You will need to carefully select the order the coloring rules are listed
as they are applied in order from top to bottom.
So, more specific rules need to be listed before more general rules.
For example, if you have a color rule for UDP before the one for DNS,
the color rule for DNS will never be applied (as DNS uses UDP, so the
UDP rule will match first).
|
If this is the first time you have used Coloring Rules, click on the New
button which will bring up the Edit color filter dialog box as shown in
Figure 9.2, “The "Edit Color Filter" dialog box”.
In the Edit Color dialog box, simply enter a name for the color filter,
and enter a filter string in the Filter text field.
Figure 9.2, “The "Edit Color Filter" dialog box” shows the values
arp
and
arp
which means that
the name of the color filter is
arp
and the filter
will select protocols of type
arp
. Once you have
entered these values, you can choose a foreground and background
color for packets that match the filter expression. Click on
Foreground color...
or
Background color...
to achieve this and
Wireshark will pop up the Choose foreground/background color for
protocol dialog box as shown in
Figure 9.3, “The "Choose color" dialog box”.
Select the color you desire for the selected packets and click on OK.
|
Note! |
You must select a color in the colorbar next to the colorwheel to
load values into the RGB values. Alternatively, you can set the
values to select the color you want.
|
Figure 9.4, “Using color filters with Wireshark” shows an example of several color
filters being used in Wireshark. You may not like the color choices,
however, feel free to choose your own.
If you are uncertain which coloring rule actually took place for a
specific packet, have a look at the [Coloring Rule Name: ...] and
[Coloring Rule String: ...] fields.