Wireshark Profiles are Power
Wireshark profiles are a huge timesaver. When I open a trace file in Wireshark, I want all of my settings, filters or color rules ready to go. I do not want to recreate the wheel.
Many people use the Default profile, and just keep making changes depending on the situation. Some just stay with default settings. I use Wireshark daily, and I need more than just the Default.
When I first made the transition from the Network General Sniffer to Wireshark, back in 2007,I found myself creating a new settings profile for each of my customers. This worked well for certain filters for specific subnets or in-house applications. Yet I found myself making many of the same changes over and over again. That did not go well. Nobody wants to make a customer wait while you configure your toolset.
I changed to creating profiles based on layers of the OSI model and specific protocols, and that has worked beautifully. I can always copy a profile for a customer, and customize as needed.
Create a Profile
Just in case you added a few things to your Default, we'll copy it and work with the copy. Then you can rollback if you like. Go to Edit | Configuration Profiles. I might have a few more than you do :). Don't worry, at the end of the article I'll give you a link so you can download them.
Click on the Default profile, then the copy button. Name it something exciting like NewDefault.
Now you can make whatever changes you need. For example, I like to change the layout. On a Mac, Wireshark | Preferences | Appearance | Layout.
Copy a Profile
But what if you just want to skip to the end? Copying a profile from someone else can really speed things up. I'm going to switch to one of my profiles, and see the change in Wireshark.
Here is the Default profile with no filters.
Here is Betty-DNS with a DNS filter. Notice the new buttons in the toolbar.
What did I change? I added filter buttons, columns, coloring rules, capture interface, layout and font. Some things are consistent with all of my profiles, so I created a Betty-Default and use it as a starting point for any new profile.
Color coding is big with me, so I made rules with white background and different colors for the different layers of the OSI model. Application is purple, Transport is blue, Network is green, and Data Link is orange. Then I made anything worthy of looking at first red, everything else is not red :). I like to keep it simple.
I used to toggle my colors off and focused on issues with filters because there were just too many colors to remember what they were. Then I learned a hack from Laura Chappell. She puts a T- in front of her troubleshooting rules, then S- for security and N- for notes to self. Here's the cool part, she used one color for each category no matter how many rules there are. This way she knows if she sees something security related, it is going to be dark orange. Then the extra-cool part, tap the name of the column that is red for my T- rules to sort. Sure makes doing trace triage faster!! HT @LauraChappell.
Here are my color rules for the Betty-DNS profile.
I'm also very into columns. If I notice that I keep looking at a particular field in the Detail, I will just r-click and Apply as Column. It saves me a lot of scrolling, but also takes up quite a bit of screen real estate. My sister says, "you can have it all, but you can't have it all at once". So true.
Here is a great hack I learned from Vladimir HT @Packet_vlad. You don't have to have just a single field for a column, you can use OR to have multiple fields. Now I only use one column to get application response time for 7 protocols.
If you would like to copy this or the other profiles I use, go to https://www.bettydubois.com/wireshark-profiles. I add filters and coloring rules often so watch for updates on twitter @PacketDetective. I have from a great source that in Wireshark 3.2 you will be able to import profiles from others much more easily. HT @rknall https://twitter.com/rknall/status/1151156714743443456
Author Profile - Betty DuBois is the Chief Detective for Packet Detectives, and has been solving mysteries since 1997. She troubleshoots the root cause of network and/or application issues. Experienced with a range of hardware and software solutions, she captures the right data, in the right place, and at the right time.
Using packets to solve crimes against the network and applications, is her passion. Teaching others to do the same, is her calling.
Do you have a Packet mystery that you'd like Betty to solve, or? How about a team who needs training on how to catch the culprit themselves? Go to https://www.bettydubois.com/about for contact information.