Colorization and coloring rules

Colorization of packets displayed in the Packet List pane can be an effective tool to identify and highlight packets of interest, especially the packets that contain or indicate some kind of error condition.

Wireshark has predefined coloring rules that are enabled by default and which can result in a kaleidoscope of colored packets in the Packet List pane. You can enable or disable the coloring rules by selecting Colorize Packet List from the View menu or by clicking on the Colorize Packet List icon in the icon bar if this becomes overwhelming.

You can also view, enable/disable, add, delete, reorder, and edit the coloring rules by selecting Coloring Rules from the View menu or by clicking on the Edit Coloring Rules icon in the icon bar. There is a Clear button that removes all the changes you may have made to the rules and restores them to default settings if needed.

A Coloring Rules window is depicted in the following screenshot:

Coloring rules employ display filter formats with specific values to identify packets that should be colored. The rules are compared to packets starting with the top rule and working down through the list. Only the first rule that matches a packet's condition is applied, so the ordering of the rules dictates which rule gets applied if more than one rule matches a packet. If you create or modify a rule, you have to check the ordering to make sure you get the desired behavior.

Clicking on a rule and then clicking on Edit allows you to modify the foreground and background colors for that rule, as well as change the filter string if desired.

You can also export/import coloring rules if you want to share them with others. Coloring rules are stored in a file called colorfilters in one of your personal configuration directories depending on the profile in use.

Packet colorization

You can also temporarily color a series of packets in a conversation by selecting one of the conversation packets, selecting Colorize Conversation from the View menu, and selecting a color from the adjoining menu, or by right-clicking on a packet, selecting Colorize Conversation from the menu, selecting one of the protocol-specific options, and then selecting the desired color. This colorization will disappear when the capture file is reloaded, or you can select Reset Coloring 1-10 from the View menu.