Chapter 4. Configuring Wireshark
Wireshark offers a number of features that can be configured to enhance the accuracy and ease of performing packet analysis activities such as troubleshooting a functional or performance problem. Selecting the best format to measure the elapsed time between packets is an important factor. There are a number of protocol-specific options that affect how Wireshark displays time-related information that are useful as well. Coloring rules, preferences settings, and profiles let you customize Wireshark for your particular style of analysis, as well as the different environments that you might work in.
In this chapter, we will cover the following topics:
These topics will wrap up our introduction to the most essential and useful features and options of Wireshark.
Working with packet timestamps
Understanding how Wireshark handles time and using the right incarnation of packet timestamp displays is crucial to properly analyze packet flows and identify time-related anomalies.
How Wireshark saves timestamps
When packets are captured, Wireshark gives each packet a timestamp derived from the system clock of the machine from where the capture takes place. This timestamp is converted to Universal Coordinated Time (UTC) based on an offset calculated from the time zone setting and any Daylight Savings Time (DST) rules that apply for the capture machine, and then converted again to an epoch number (the UTC-based number of seconds since January 1, 1970). This is the time value that gets saved in the capture file for each packet. When Wireshark reads the capture file, it turns the epoch number back to the familiar date and time display, adjusted for the time zone and DST offsets for your machine.
This means that if a packet capture is conducted on a machine in Los...
Colorization and coloring rules
Colorization of packets displayed in the Packet List pane can be an effective tool to identify and highlight packets of interest, especially the packets that contain or indicate some kind of error condition.
Wireshark has predefined coloring rules that are enabled by default and which can result in a kaleidoscope of colored packets in the Packet List pane. You can enable or disable the coloring rules by selecting Colorize Packet List from the View menu or by clicking on the Colorize Packet List icon in the icon bar if this becomes overwhelming.
You can also view, enable/disable, add, delete, reorder, and edit the coloring rules by selecting Coloring Rules from the View menu or by clicking on the Edit Coloring Rules icon in the icon bar. There is a Clear button that removes all the changes you may have made to the rules and restores them to default settings if needed.
A Coloring Rules window is depicted in the following screenshot:
Coloring rules employ display...
In the Adding a time column section, we opened the Preferences window using Preferences in the Edit menu or by clicking on the Preferences icon in the icon bar to configure the time display column options. There are quite a number of Preferences options that you should be aware of and may want to adjust to customize your Wireshark environment:
Layout: This is used to select the ordering of the Packet List, Packet Details, and Packet Bytes panes.
Columns: This is used to add, remove, and move columns in the Packet List pane.
Capture: This is used to set the default capture options.
Filter Expressions: This is used to add, remove, or move the Filter Expression buttons.
Name Resolution: This is used to set the MAC, transport, and network (IP) resolution options.
Protocols: There are options that can be set for all of the protocols that Wireshark supports; some of the most important and useful of these options include:
As we have covered the numerous Wireshark configuration options that are saved in specific files, such as cfilters
for Capture Filters, dfilters
for Display Filters, colorfilters
for Coloring Rules, and preferences
for preferences settings, it was mentioned that these files were saved in one of your Personal configuration directories, but I have left a full explanation of profiles and these configuration directories until now so that you would better understand what makes up a profile and why they are useful.
A profile is a collection of Wireshark configuration files customized for your specific needs and tastes in capture and display filters, coloring rules, columns and layouts, and so on for the particular environment you are working in. You can create one or more profiles and quickly reconfigure Wireshark to work best in differing environments by selecting the appropriate profile.
When you first install Wireshark, it operates with a default set of configuration files...
The topics covered in this chapter included working with Wireshark's time displays, colorization and coloring rules, selecting the appropriate Wireshark preferences for a given analysis environment, and saving all of these settings in profiles that can be selected as required.
In the next chapter, we'll cover a selection of network layer, transport layer, and application layer protocols in common use in modern networks, which will help you to prepare for more advanced packet analysis activities in the later chapters.