Configuring coloring rules and navigation techniques

Coloring rules define how Wireshark will color protocols and events in the captured data. Working with the coloring rules will help you a lot with network troubleshooting, since you are able to see different protocols in different colors, and you can also configure different colors for different events.

Coloring rules enable you to configure new coloring rules according to various filters. It will help you to configure different coloring schemes for different scenarios and save them in different profiles. In this way you can configure coloring rules for resolving TCP issues, rules for resolving Sip and Telephony problems, and so on.

Tip

You can configure Wireshark Profiles in order to save Wireshark configuration; for example, predefined colors, filters, and so on. To do so, navigate to Configuration Profiles from the Edit menu.

Getting ready

To start with the coloring rules, proceed as follows:

1. Go to the View menu.
2. On the lower part of the menu, choose Coloring Rules. You will get the following window:
   

How to do it...

We will now move on to the coloring rules:

Click on the New button, and you will get the following window:

In order to configure a new coloring rule, follow these steps:

1. In the Name field, fill in the name of the rule. For example, fill in NTP for the Network Time Protocol.
2. In the String field, fill in the filter string, that is, what you want the rule to show (we will talk about display filters in Chapter 3, Using Display Filters). You can click on the expression button and get a list of preconfigured filters.
3. Click on the Foreground Color button and choose the foreground color for the rule. This will be the foreground color of the packet in the packet list.
4. Click on the Background Color button and choose the background color for the rule. This will be the background color of the packet in the packet list.
5. Click on the Edit button if you want to edit an existing rule. You can also either click on the Import button to import an existing coloring scheme, or click on the Export rule for exporting the current scheme.

Tip

There is an importance to the order of the coloring rules. Make sure the order that the coloring rules are in is the order of implementation. For example, application layer protocols should come before TCP or UDP, so that Wireshark colors them in their color and not the regular TCP or UDP color.

How it works...

Like many operations in Wireshark, you can configure various operations on the data that is filtered. The coloring rules mechanism simply applies a coloring rule to a predefined filter.

See also

You can find various types of coloring schemes at http://wiki.wireshark.org/ColoringRules, along with many other examples, in a simple Internet search.