Thanks to the gentle nagging of @WiFiNigel I finally got around to posting SOME of the things I've been wanting to post. It's been sitting in a text file for several months without me ever getting around to posting it. And thanks to @JamesGarringer for inspiring me to think about maybe writing it.
Wireshark may be free, but it's a powerful and useful beast. Knowing how to use your tools, and set them up to be the most efficient and productive is important. So, here are a few of my favorite Wireshark customizations that help me do my job. This is the first of two posts.
🦈 SharkTIP #1 - Custom Profiles
The first thing you should do after installing Wireshark is to create custom profiles to have Wireshark ready to go for the task at hand. For me, that means wireless frame capture & analysis. I like to have certain columns, and colors all set so I can quickly spot things that I’m looking for. In future SharkTips I cover some of the other Wireshark customizations I use in my custom profiles.
Creating profiles is easy. First, click on “Edit” menu and then select “Configuration Profiles”. You’ll see this window popup:
Next, click on the “+” to add and name a new profile. Then click “OK” to close and save the new profile.
That’s it! Now, you’ll just have to take the time to customize your view to your likes and needs. You can arrange the panel layout, the columns that you prefer to see, the colors of the packet/frames. Any changes you make to the active profile are automatically saved.
To switch profiles just click on “Profiles” at the bottom, right-hand corner of Wireshark. You’ll see a list of all the available profiles. Just click on the one you want and your done.
You can even save you profiles for use on other machines, or to share. A quick Google search should allow to find customer profiles that other users have created that may suit your needs.
To share a profile, or add someone else's profile, go to the help about for Wireshark and click on the “Folders” tab. You’ll see links to various folders. Click on the link for the “Personal configuration”. When the window pops up go into the "Profiles" folder. There you will see folders for each of your profiles. Just copy and share the profile(s) you want share.
Alternatively, if you want to add someone else's profile(s) copy their profile folders into your "Profiles" folder. Next time you start Wireshark the profiles will be available to you.
SharkTIP #2 - Columns That Matter
Columns are YUGE. Having the right columns front and center will make finding what you want faster and easier. If you're trying to learn and understand 802.11, taking the CWAP, having the right columns will go a along way to helping you understand what's happening up in them frames!
There are a few different ways to create columns:
You can right-click on the column bar and select "Column Preferences" from the menu. Then you can press the "+" button to create a new column, give it a name and either select form the list of presets, or use a filter for what you want.
For example, if you wanted to create a column that shows TX rate you could...
OPTION 2 (My preferred method)
This option gives you more stuff to choose from. You'll be surprised what you'll find. Select an item you want from the Packet DETAILS below the Packet List like so...
Here are some of some of the columns I use:
I hide/unhide columns as needed by right-clicking on the column bar and selecting/de-selecting what I want from the list:
SharkTIP #3 - Colorize The Packets!
I spend the majority of my time working with 802.11. So, I’ve customized Wireshark to make analyzing it faster and easier.
One of the first things I did was add a custom color palette for colorizing 802.11 frames. Fortunately, I didn’t have to work too hard. @WiFiTrent created this awesome color profile based on MetaGeek’s Eye P.A., and @WifiNigel blogged about how to add it to Wireshark here. The color scheme breaks it down into three basic color sets for each 802.11 frame type - Management, Control, and Data. It makes it so much easier to spot things quickly, and helps me better understand what I’m seeing. I love it!
To install it click on “View” and select “Colorization rules…”. You’ll see an option to import the file. Or, if you want to take the time to create your own color rule set just click on the “+” button and start creating your rules, frame by frame!
Happy coloring! 🖍
SharkTIP #4 - Create A List Of Commonly Used Display Filters
Just click on the little bookmark icon to the left of the filter entry field, select "Manage Display Filters", and add your most commonly used display filters for quick and easy access. Then just click and select them on the fly!
Display Filter Buttons! (Wah????)
Another cool way to do filters are Filter Buttons! Ceate Filter Buttons in Wireshark toolbar for your most used filters. Just click and BLAMO! You're filtering, yo!
Easy to do. Here is how you create and remove an existing filter button. Here I'm adding a button to quickly filter on only frames that pertain to my MacBook, JAYNE.
Just click on the "+" on the filter bar and then add a label and the filter you want to use...
SHARKTIP #5 - Custom Name Resolution (The “ethers” file) 🕵🏻
Sometimes it hard to see through the mass of information Wireshark presents you. For quick scanning I like to add name resolution for mac addresses so devices I’m looking for are easily identifiable in Wireshark.
It's simple to do.
On a Mac go to Wireshark > About Wireshark, and on Windows go to Help > About
When the dialog pops up click on the “Folders” tab
Click on the link next to "Personal configuration".
Open the “ethers” file in your text editor of choice (If you don't see an "ethers" file you create a text file and copy paste the example below.)
Add each device on a separate line, Mac address, followed by a space, and then the name:
Example of an ethers file:
# Use the ethers files to name devices.
# This will replace the MAC address with the name you specify here.
# An example of adding a device MAC address and name.
######## EXAMPLE DEVICE ENTRY ############
# 1A:2B:3C:4D:5E:6F DEVICE-NAME
######## ENTER YOU DEVICES BELOW! ########
Save the file in /etc, restart Wireshark and now you’ll see the device name instead of the Mac address.
IT will look something like this:
(Here I added my AppleTV and Aruba IAP-224:)
That's it of now. I'll post some more SHARKTIPS™ :-) in the next few weeks.