A very useful mechanism available in Wireshark is packet colorization. You can set up Wireshark so that it will colorize packets according to a display filter. This allows you to emphasize the packets you might be interested in.
You can find a lot of coloring rule examples at the Wireshark Wiki Coloring Rules page at http://wiki.wireshark.org/ColoringRules.
There are two types of coloring rules in Wireshark: temporary rules that are only in effect until you quit the program, and permanent rules that are saved in a preference file so that they are available the next time you run Wireshark.
Temporary rules can be added by selecting a packet and pressing the Ctrl key together with one of the number keys. This will create a coloring rule based on the currently selected conversation. It will try to create a conversation filter based on TCP first, then UDP, then IP and at last Ethernet. Temporary filters can also be created by selecting the → menu items when right-clicking in the packet detail pane.
To permanently colorize packets, select Figure 10.1, “The “Coloring Rules” dialog box”.→ . Wireshark will display the “Coloring Rules” dialog box as shown in
If this is the first time using the Coloring Rules dialog and you’re using the default configuration profile you should see the default rules, shown above.
|The first match wins|
More specific rules should usually be listed before more general rules. For example, if you have a coloring rule for UDP before the one for DNS, the rule for DNS may not be applied (DNS is typically carried over UDP and the UDP rule will match first).
You can create a new rule by clicking on thebutton. You can delete one or more rules by clicking the button. The “copy” button will duplicate a rule.
You can edit a rule by double-clicking on its name or filter. In Figure 10.1, “The “Coloring Rules” dialog box” the name of the rule “Checksum Errors” is being edited. Clicking on the and buttons will open a color chooser (Figure 10.2, “A color chooser”) for the foreground (text) and background colors respectively.
The color chooser appearance depends on your operating system. The OS X color picker is shown. Select the color you desire for the selected packets and click.
Figure 10.3, “Using color filters with Wireshark” shows an example of several color filters being used in Wireshark. Note that the frame detail shows that the “Bad TCP” rule rule was applied, along with the matching filter.