Wireshark tuning

The Wireshark packet analyzer is a powerful tool for both collecting and analyzing traffic. We've previously looked at using Wireshark to work with DNS packets. In this article we will look at various techniques for flexible configuration of this tool in order to make working with it more convenient and efficient.

Wireshark settings are hidden in the Edit -> Preferences section… Here we have access to many different settings and we will not dwell on each in detail. In the Appearance section we can specify various settings for the visual display: fonts, colors used, saving the size and location of the main window, and much more.

Adding Columns

Also in the Columns tab we can add or remove additional columns.

Click + and select the desired column from the list. For example, you can choose to display MAC addresses or another value.

As a result, we get a display of the contents of additional columns. Convenient for custom settings.

In the Layout tab we can change the layout of the panels, placing them, for example, vertically:

Perhaps this display will be more convenient for someone.

Custom filters

In the Filter Buttons section, we can create our own filter to search for packages and place a button that calls this filter on the main screen. To do this, also click + and indicate the name of the button in the Button Label field, and in the Filter Expression field write the expression by which the selection should be carried out.

In the example below, we filter packets that contain ports 80 and 443.

As a result, we have a corresponding button on the desktop, when clicked, the corresponding filter is automatically applied.

Setting up protocols

When working with specific application protocols, you may encounter a situation where Wireshark does not parse a particular protocol quite correctly. A typical problem is that it does not see a specific application protocol and displays its packets simply as TCP, even though it should be marking the protocol as an application based on the port number.

To combat this, first of all, you can look at the Protocols section and try to find the required protocol there. For example, let's look at the MySQL protocol settings.

Here we see in the settings the ability to change the port number. Your network may be using a different port number for the connection. There are also additional options here that can be turned on or off if necessary. So, here we are asked to reassemble buffers from several segments and display requests in the INFO field.

Changing the coloring

Continuing the topic of working with different protocols in Wireshark, let's look at how you can change the appearance for certain packages. As you saw earlier, different packages are displayed in different colors. Thus, packets associated with a potential connection breakdown are colored red, network layer packets are colored yellow, etc.

When working with specific protocols, it would be convenient for us to visually mark them in a suitable color scheme, allowing them to be quickly seen in the general traffic flow. Here we need the Edit tab and the Coloring Rules section. Next, using the already familiar + button, add an entry.

In this case, we specify the name and expression for the filter. Don't forget to select the checkbox to make the rule active.

We select the color scheme using the Background and Foreground buttons, respectively. By the way, ready-made settings can be exported in order to then be applied on another machine.

Your profile

We have already configured a lot of interesting things, but in practice it often happens that different settings are needed to perform different tasks. Then, in order not to enable the necessary settings every time, we can use profiles.

The Wireshark configuration profile stores the following.

  • Global Settings

  • Interception filters

  • Display filters

  • Color rules

  • Prohibited network protocols

  • Forced decodings

  • Recent settings, including panel sizes, menu view settings, and column widths

  • Protocol-specific tables

To work with profiles, select the Configuration Profiles section in the Edit menu…

By default, there are already profiles Default, Bluetooth, Classic, No Reassembly. And the profile used is Default.

To create a new profile, simply click the already familiar + and give the new profile a name. This profile type must be Personal.

Now we can easily switch to this profile by simply clicking Profile at the bottom right of the screen, and use the settings that were saved in it.

Profiles can also be exported and imported onto other machines.

Conclusion

In this article, we looked at some useful Wireshark customization settings that will allow DevOps engineers to work more effectively with traffic.

In conclusion, I would like to remind you about the open lesson that will be held at OTUS on May 15: “Containerization technology. Introduction to Docker”. You will learn what containers are, how they work, and how they differ from virtual machines. You can register for free By link.

Similar Posts

Leave a Reply

Your email address will not be published. Required fields are marked *