Wireshark Coloring Rules
04-08-2019 02:58 PM - edited 04-12-2019 10:33 AM
As shown at Atmosphere 19' Las Vegas last week, it is recommended to use Wireshark's "Coloring Rules" for the common protocols you need to analyze to help improve the efficiency of browsing through a large sniffer trace file for monitoring or troubleshooting.
The attached file contains my colorfilters file that can be imported into Wireshark's "Coloring Rules" for displaying different protocol communication for analyzing WiFi frames. These rules are permanently saved and used each time Wireshark is started.
(Note 1: These color filters were based on using Wireshark version 2.6.3. Please backup your colorfilters file before importing this colorfilters file in Wireshark's menu selection "View-->>Coloring Rules...-->>Import". Once the colorfilters file is imported you should manually select all these new rules and drag them to the top of your rule set so they can be applied in the correct order.)
(Note 2: Coloring rules are read from top of list down so the first matched filter will be applied. For example I have "802.11 retry bit set" and "802.11 power management bit set" filter rules positioned at the top as I want to highlight such frames in my wireless analysis.)
In addition to importing the above or other preconfigured color filters you can also create your own in the following 2 possible methods:
OR the following temporal coloring method
Example Wireshark "Coloring Rules" list for monitoring WIFi frames:
Example browsing of a WiFi sniffer trace using helpful color filters to differentiate protocol phases: