Everyone likes to arrange their desks in their own way. Working with Wireshark is no different, as you can personalize the settings to suit your needs. In this chapter, we'll dive into the Wireshark interface and look at ways to enhance the appearance and layout, as well as create custom configuration profiles. You'll gain a better appreciation of how you can design the interface to meet your specifications and evaluate ways to manipulate columns, change the font, and fine-tune color choices.
So that you get a better understanding of how to document capture information in Wireshark, we'll review tips on how to add comments. You'll discover how to comment on a single packet or an entire capture. Finally, we'll step through the process of building and modifying a complex filter during packet analysis. We'll finish by learning how to create a button on the toolbar as a shortcut for commonly used filters in Wireshark.
This chapter will cover the following:
Although Wireshark is functional in default mode, it's easy to modify appearance and layout to optimize your workflow. In addition to personalizing layout and general appearance, you can modify many other components. For example, you can change the language, customize the number of icons, recent filters, and folders, and define what you want to appear in the status bar. Let's start with how you can customize the appearance.
In Wireshark, you can tailor the general appearance in the following ways:
To view all the choices where you can make and modify your selections, go to Edit and then Preferences, which will bring up a dialog box. Once there, expand Appearance, as shown in the following screenshot:
At the top of the dialog box, we can see the Remember main window size and placement option. If selected, this will retain the window size and placement after you shut down Wireshark. To see how this works, do the following:
The next selection, Open files in, allows you to point to a location when accessing files. Here, you will find two choices:
Show up to allows you to modify how many files or filters are preserved. The choices are outlined as follows:
When working with captures, Wireshark can help remind you to save your file by selecting Confirm unsaved capture files. If checked, Wireshark will display a prompt before closing the app, starting a new capture, or opening another file, as shown here:
The next option, Main toolbar style, will allow you to alter the appearance of the main toolbar, which is across the top, underneath the menu choices. You can choose to display as Icons only, Text only, as well as Icons & Text, as shown here:
The next selections will enable you to modify how the title across the top of the screen appears. The choices include the following:
I have included both options, so the title appears as [Lisa WS]dhcp.cap[Lisa], as shown in Figure 6.3.
Note
For Window title, I used the %P (profile) selection.
The last option is Language. When using Wireshark, the default is Use system setting when displaying capture information. However, the developers have added a powerful feature – the ability to select from a variety of languages, including Chinese, English, French, German, Italian, Japanese, and Polish.
Now that we have set up our workspace, let's evaluate ways to modify the layout.
As covered in the Exploring the View menu section in Chapter 4, Exploring the Wireshark Interface, you can select which of the panels you want to appear, as follows:
Once you launch Wireshark, the default setting is the three panes – Packet List, Packet Details, and Packet Bytes stacked one above the other.
However, it's easy to rearrange the layout in one of six other layouts. To make changes to the layout, go to Edit | Preferences, which will bring up a dialog box. Once there, expand Appearance, and then select Layout, as shown here:
For example, if you have selected the settings shown in the preceding screenshot, your layout will appear as follows:
In addition, you have choices to modify additional selections, for either the packet list or status bar settings. Let's start with how we can enhance the view of the packet list settings.
Within this section, Wireshark provides additional options to visualize the packet list.
The Show packet separator option will insert a fine white line in between each frame in the packet list.
If you select Show column definition in column context menu, when you right-click on any of the column headers, Wireshark will describe each of the column values, as shown here:
When you select Enable mouse-over colorization, this will highlight the selected packet in a light blue color, as shown in frame 4 in the preceding screenshot.
In addition, we can modify the status bar, which is found at the bottom of the Wireshark interface.
Here, you can choose to select Show selected packet number and Show file load time.
Once selected, this information will be displayed in the lower-right-hand corner of the status bar, as shown here:
The last option, Restore Defaults, will reset any options that you have selected to the default state.
Next, we'll examine ways to generate a custom configuration profile to provide a unique set of settings that are specific to our needs.
A configuration profile is a set of preferences and configurations. Once you launch Wireshark, at the lower right-hand corner of the interface, you will see Profile: Default, as shown in Figure 6.7.
In Wireshark, users can create their own custom configuration profiles, which can include personalized preferences, coloring rules, font styles, and buttons.
To create a custom profile, go to Edit | Configuration Profiles. Once the dialog box is open, you will see that Wireshark has a default configuration called Default. In addition, you will see three Global configurations, Bluetooth, Classic, and No Reassembly, as shown in italics in the following screenshot:
In addition, I have created two personal profiles, Lisa and Malware. In the next section, we'll see how easy it is to create a new profile.
Once you have determined that it will be beneficial to create a custom profile, you can begin the process by going to Edit | Configuration Profiles. Once there, select the + sign and assign the profile a name. For example, I created a profile named Malware, as shown in Figure 6.8. Once you add the profile, close the dialog box, and then you can modify the profile.
You can make several changes to suit your needs, such as the following:
Once done, Wireshark will save any changes in the custom profile.
In my Malware profile, I wanted to modify the settings so that I can hunt for an Ettercap signature. Ettercap is a tool that is used to launch man-in-the-middle attacks on a LAN. I want to be able to quickly identify the e77e Ettercap signature, which identifies Ettercap as it searches for other poisoners on a LAN.
Note
The Ettercap signature e77e translates to ette (short for Ettercap) in leetspeak. You can check this by visiting https://www.dcode.fr/leet-speak-1337.
To customize my profile, I adjusted the columns and removed the Packet Bytes lower panel. Finally, I added an ette button (which we'll learn how to create in the Crafting buttons section). Once selected, the button will apply and run the icmp.ident == 0xe77e display filter.
The results are shown in the top right-hand corner of the following screenshot:
Using my Malware profile, I can easily check for Ettercap poisoners by hitting my button, which will then show any packets in the capture that have that signature.
If you want to change the profile, click on the lower right-hand corner and select the profile you want to use, as shown in the following screenshot:
In addition, if you want to manage the profiles, right-click on the Profile label. Wireshark will bring up a dialog box, where you can then select Manage Profiles…, as shown in the following screenshot:
Along with being able to manage and modify the profiles, Wireshark allows you to import and export profiles, so you can easily share them with your team. Simply right-click on either choice to make your selection.
You can import profile(s) from the following:
You can export the following profile(s):
Many times while conducting packet analysis, there is a need to refine our view by filtering traffic. If you have created a filter that you find you will need to run often, then you can create a handy toolbar button, as outlined in the next section.
A display filter allows you to show only specific traffic. Many times, we'll use a simple filter, such as a dns (Domain Name System) or http (Hypertext Transfer Protocol). However, there are times where you may need to create a more complex filter, such as when comparing a specific protocol field against a value using logical operators.
While working with Wireshark, you may have created a complex filter by using shortcuts.
Note
We'll learn more about shortcuts in the Discovering shortcuts and handy filters section in Chapter 7, Using Display and Capture Filters.
For example, you created a display filter to show only the Transmission Control Protocol Synchronization (TCP SYN) flag and not the Acknowledgement (ACK) flag:
(tcp.flags.syn == 1 ) && !(tcp.flags.ack == 1)
Once you have created an expression and it is visible in the display filter, you can effortlessly create a button. In the right-hand corner, right after the Display Filter, hit the + (plus) sign, and Wireshark will display a drop-down dialog box, as shown in the following screenshot:
Once the dialog box is open, you can enter an appropriate label and add a comment for the filter button. Wireshark will automatically enter the display filter for the button to run when clicked. When done, select OK, and the new button will appear on the toolbar.
After working with Wireshark and adding buttons, you may want to remove some to clean up the toolbar. The following list shows the steps to edit filter buttons:
When selected, you will see whatever buttons are currently on your toolbar.
If you want to remove any filter buttons, highlight the button you want to remove and select the – (minus) sign in the lower left-hand corner.
You can now see the power of creating a customized profile to personalize your workspace. Now, let's investigate how you can add or remove columns, and adjust font and color to suit your needs.
While working with a packet capture, most users are comfortable with the default settings used in the interface. However, you can adjust font styles and size to personalize the look and feel of your workspace. In addition, you can also modify the colors that Wireshark uses for the various packet identifiers and display filters.
Once you are in the interface, you will see the column headers that are along the top of the screen. While you are working on a capture, you might not ever manipulate the columns. However, you can add, delete, align, and customize the columns at any time.
Wireshark makes it easy to add and modify columns, as we'll see in the next section.
In Wireshark, you can do more than simply expand or shrink the column headers while in the interface.
To improve how you visualize columns, go to Edit | Preferences, and then Columns, as shown in the following screenshot:
Once selected, you will see a list of columns. Some are present by default, and others are ones you may have added. You can select the checkbox to make the column visible, as well as add or remove columns.
Along the top of the dialog box, you will see the following selections:
To add a column, select the + (plus) sign. Identify the title by typing in an appropriate label where it says New Column, and then identify the type by using the drop-down menu and selecting a type. You can also remove any unwanted columns by highlighting the column and hitting the - (minus) sign.
In addition, once in the interface, you can align the columns by right-clicking and selecting the way you want your columns to align, either left, center, or right, as shown here:
Most other column headers are fairly straightforward in how they are used. However, the one you may not be familiar with or use very often is Field Occurrence. Let's explore this concept next.
When an Internet Control Message Protocol (ICMP) error message is sent, the ICMP packet will include the following:
To see an example of an error, go to CloudShark to obtain a copy of ICMPv4_Destination_unreachable, found at https://www.cloudshark.org/captures/155db9732c91, and then open the capture in Wireshark.
Note
We'll learn more about ICMP in Chapter 12, Discovering ICMP.
When using Field Occurrence, we can see the ID field of the first (main) IP header along with the ID field of the nested IP header. This will allow us to easily see the difference between the two, as shown in the following screenshot:
To create the custom column headers, let's start by creating a new profile.
Go to Edit | Configuration Profiles:
Now that we have a new profile, we will create the field occurrence option.
Go to Edit | Preferences, and then Columns. Uncheck Length and Info, as shown in the following screenshot:
Next, we will add two new column headers.
Select the + (plus) sign and then modify the settings for the first newly created column header as follows:
Select the + (plus) sign and then modify the settings for the second newly created column header as follows:
The result is shown in Figure 6.16, where, right after the Protocol column header, you will see IP Main ICMP, followed by IP Nested ICMP.
As we can see, Wireshark is very versatile in modifying columns to adjust your view. Next, let's take a look at an overlooked feature in Wireshark, which is the ability to adjust the font and change the default colors.
In the main window, you may feel the text is too small, as the Default profile uses the Consolas 10 style as the font and size. It's easy to change the font and colors, make the text bold or italic, and change the font size and style.
Go to Edit | Preferences and select Font and Colors, as shown in the following screenshot:
Along the top, if you select Main window font, Wireshark will display a dialog box that will allow you to make changes to the font, as shown here:
Below Main window font, you'll see defaults for the way Wireshark colorizes the text and background for active and inactive items, along with marked and ignored packets. After that, you will see the defaults for the client and server text when you right-click on a packet and select Follow the TCP Stream, as shown here:
The colors help identify whether the client or the server is talking. When you follow the TCP stream, the default value for the client text is red, but this value can be changed.
The last three samples listed refer to the colors when creating a filter. The syntax checker within Wireshark checks the filter as you are entering text. When creating a filter, the following are default values:
As with all the other choices, you can change these values as well.
In Wireshark, we can indicate information about a particular packet or capture a file in the form of comments, as we'll see in the next section.
While conducting packet analysis, there may be issues that you will want to highlight and identify so that you can reference them at a later date. For example, you might want to make a note on a single packet or an entire capture for future reference.
All of this is possible in Wireshark, as you can write a note in the capture outlining the key issues that were found. Once documented, you or your team can reference the comments at a later date.
Note
While commenting is optional, it is always good practice to document to help preserve the details of your findings.
Let's start with how we can add file comments.
Adding a comment to a packet capture is a very handy tool. When adding a comment, you can view it later to refresh your memory on key issues related to that packet capture. For example, you may have identified possible illegal or malicious activity, such as cryptocurrency mining, and you can list the details right in the capture file.
There are a few ways to add a comment to the file. Some examples are as follows:
Adding a comment to the file can help remind you or your team of what was significant about the capture. However, it's also possible to add a comment to a single packet, as discussed in the next section.
To add a comment to a single packet, select the packet and then go to Edit | Packet Comments | Add New Comment. A dialog box will be displayed, where you can enter your comment. Once you have entered your comment and saved the file, Wireshark will append a note with bright green coloring on the top of the frame, in the Packet Details panel, as shown in the following screenshot:
Once you have added comments to either the entire capture or a single packet, you'll want to save them and then, at some point, go back in and reference the notes. The following section reviews how we can take a look at the comments and how to preserve our remarks.
Comments can be a powerful tool, as you can use them in many ways to preserve what you felt was significant in the capture. Even after several years have passed, I still find the comments valuable, as they help me to remember my train of thought when I analyzed a packet capture. However, in order for the comments to be of value, you must save them. Let's discuss how this is achieved.
Once you have created a comment, you will see an asterisk by the title across the top of the Wireshark interface, as shown here:
The asterisk will remain until you save the file. Keep in mind that to preserve the comments, you must save the file in PCAP Next Generation (.pcapng) format.
If you or your team has taken the effort to make a comment, then it's well worth your time to read them. You can view either packet or capture file comments in a few ways:
You can also view packet comments by going to Expert Information, which is found by selecting the colored circle in the lower left-hand corner of the interface. Once the dialog box opens, expand the Comment section to see any comments, as shown in the following screenshot:
By now, you can appreciate the many ways in which you can personalize the interface and document your work while analyzing packet captures.
Whether you are a power user or a casual analyst, it only takes a few minor tweaks to personalize Wireshark so that you can complete tasks more efficiently. In this chapter, we examined the many ways to customize the Wireshark interface to fit your workflow. We covered how to modify choices such as recent filters and folders, along with the layout and general appearance. We discovered how easy it is to create tailored profiles to include preferences, coloring rules, and font styles. We then learned how to create a filter button on the toolbar for commonly used filters in Wireshark.
Furthermore, we discovered how to modify, add, or remove columns and column headers. We examined ways to fine-tune the font to make packets easier to read. We also reviewed how we can change the default colors for the various identifiers, such as the text color for marked packets. Finally, we illustrated the ability to add comments to a single packet or the entire capture to communicate issues to team members.
In the next chapter, we will take a closer look at using display and capture filters, as well as learn about some tricks and specific rules for using filters. We will then learn about using capture filters, including default capture filters, and how you can build your own. Finally, we will discover how to use shortcuts to create filters and review some commonly used filters to better manage your workflow.
Now, it's time to check your knowledge. Select the best response and then check your answers, which can be found in the Assessment appendix:
18.227.0.249