Configuring Profiles
Wireshark allows the user to create multiple profiles with different set of options depending on the preferred view type or type of analysis the network analyst wants to perform. In a profile, the user can save different rules, filters, columns and others features to facilitate the analysis. By default, when opening Wireshark the Profile is Default.
Creating a Profile
At the complete bottom right of the screen, right click on Profile: Default > New.
Adding a custom column
Adding a column can be useful if we are constantly looking for the same value in analyzed packets:
Edit > Preferences > Columns
We can also add a custom column by selecting the selected field from the analyzed packet then right click > Apply as column
Changing the layout
We can change the layout by clicking on Edit > Preferences > Layout. These options are made to change the layout of the three bottom pannels based on our preferences.
Saving a filter
To save a filter, we can click on the + button at the right of the filter bar. We can Label and add a Comment to the filter we want to save.
Tips and tricks for the filters syntax
Wherever we are clicking on a packet, we can see the syntax to use to filter for that value looking at the bottom of the screen. The image below shows that the correct syntax to filter for all TCP SYN packets is tcp.flags.syn==1
Coloring Rules
We can set coloring rules for a certain type of packet to jump at our eyes when analyzing PCAP files. Coloring rules are based on filters. Go on View > Coloring Rules.
As seen in the image, we have set all packets with TCP SYN flags set in orange. Note that the coloring list is in order of preference meaning that the rules at the top have priority.
Changing displayed time
We can change how the time is displayed on the Wireshark interface by clicking on View > Time Display Format.
Last updated