If you want to find a packet for a particular criterion, you can use the Find dialog. It has a couple of useful search techniques that can be applied easily and effectively on an already captured file or on a live running capture. You can access the Find utility by navigating to Edit | Find packets or using the shortcut Ctrl + F.
Let's see some more configurable options in it:
ip.addr == 192.168.1.1
(based on an IP address)port 8080
(based on a port number)http
(based on a protocol)0A:C4:22:90:45:00
AA:BB:CC
Once you have customized the options, enter the text and click on Find. This will give you the first exact capture that matches your criterion. To move back and forth between the matched packets, you can use Ctrl + N (next) and Ctrl + B (previous).
For better and convenient viewing experience, Wireshark gives us a feature where we can colorize a certain type of traffic that we want to highlight. Colorization of traffic is done in order to distinguish between different sets of traffic. Coloring a specific set of traffic with a different rule other than the default one will be like finding a needle in a haystack.
The default profile for most protocols is already created because of which we are able to see traffic in the packet list pane in different colors. You can access it by navigating to View | Edit coloring rules or clicking on the Edit coloring rules button from the main toolbar to open a window as shown in the following screenshot:
All rules that are currently saved as part of your global configuration file to colorize traffic with certain foreground and background colors are listed in this dialog. Every packet listed in the packet list pane follows a certain rule, which gives them a unique and distinguished look and feel.
Let's use this feature and color the http error
packets with a color of our choice. Say, for instance, I've a web server running on my machine that is used by the clients connected for file accessing purpose. Now, one of the clients in my network is trying directory listing and gets HTTP 404
error messages. These error messages will pop up in my packet list pane but will be colored using the same http
coloring rule that makes these errors less visible to me. To make this more visible, I want to colorize the HTTP 404
error messages with a black
background and with a cyan
foreground. Follow the steps shown here that will achieve the same:
172.16.136.129
, and my Mac OS is running on 172.16.136.1
that serves as a web server for Linux, as Shown in the following screenshot:Normal traffic from a Linux-accessing web server looks something like the screenshot here:
HTTP 404
error messages.The traffic generated through this request is captured, which can be seen in the following screenshot:
We can see, in the preceding captured traffic, that the client requested the abc.jpg resource, which was not available; thus, the client received a 404 Not found error.
http.response.code==404
in the String box. Choose the Foreground Color option as Cyan, and choose the Background Color option as Black. Then, click on OK and navigate to Apply | OK.HTTP 404
error packets will be colored according to your new coloring rule.Try the same using a virtual environment to give yourself more insight into the topic.
Coloring rules listed in the Edit Coloring Rules dialog will be checked in a top-to-bottom manner. With every packet, there is coloring rule information attached that can be listed from the Packet Details Pane under the Frame section. Consider the following screenshot illustrating the same:
3.16.67.54