Wireshark Profiles are Power

I Hate Waiting

Wireshark profiles are a huge timesaver. When I open a trace file in Wireshark, I want all of my settings, filters or color rules ready to go. I do not want to recreate the wheel.

Many people use the Default profile, and just keep making changes depending on the situation. Some just stay with default settings. I use Wireshark daily, and I need more than just the Default.

When I first made the transition from the Network General Sniffer to Wireshark, back in 2007,I found myself creating a new settings profile for each of my customers. This worked well for certain filters for specific subnets or in-house applications. Yet I found myself making many of the same changes over and over again. That did not go well. Nobody wants to make a customer wait while you configure your toolset.

I changed to creating profiles based on layers of the OSI model and specific protocols, and that has worked beautifully. I can always copy a profile for a customer, and customize as needed.

How To Create A Profile

Just in case you added a few things to your Default, we'll copy it and work with the copy.  Then you can rollback if you like. Go to Edit | Configuration Profiles.  I might have a few more than you do :).  Don't worry, at the end of the article I'll give you a link so you can download them.

Click on the Default profile, then the copy button. Name it something exciting like NewDefault.

Make Changes

Now you can make whatever changes you need. For example, I like to change the layout. On a Mac, Wireshark | Preferences | Appearance | Layout.

Copy A Profile

But what if you just want to skip to the end? Copying a profile from someone else can really speed things up. I'm going to switch to one of my profiles, and see the change in Wireshark.

Here is the Default profile with no filters. 

Filter Buttons In The Toolbar

Here is Betty-DNS with a DNS filter. Notice the new buttons in the toolbar.

What Do I Change?

What did I change? I added filter buttons, columns, coloring rules, capture interface, layout and font. Some things are consistent with all of my profiles, so I created a Betty-Default and use it as a starting point for any new profile.

Color coding is big with me, so I made rules with white background and different colors for the different layers of the OSI model. Application is purple, Transport is blue, Network is green, and Data Link is orange. Then I made anything worthy of looking at first red, everything else is not red :). I like to keep it simple.

I used to toggle my colors off and focused on issues with filters because there were just too many colors to remember what they were. Then I learned a hack from Laura Chappell. She puts a T- in front of her troubleshooting rules, then S- for security and N- for notes to self. Here's the cool part, she used one color for each category no matter how many rules there are. This way she knows if she sees something security related, it is going to be dark orange. Then the extra-cool part, tap the name of the column that is red for my T- rules to sort. Sure makes doing trace triage faster!! HT @LauraChappell.

Does Each Profile Get Different Color Rules?

It depends.  I used to do different colors for each, but it got to be too much.  I also tested it, and the pcaps do not load any faster with an empty ruleset vs a 50 rules ruleset.  Here are my old color rules for the Betty-DNS profile.

What About Columns?

I'm also very into columns. If I notice that I keep looking at a particular field in the Detail, I will just r-click and Apply as Column. It saves me a lot of scrolling, but also takes up quite a bit of screen real estate. My sister says, "you can have it all, but you can't have it all at once". So true.

Here is a great hack I learned from Vladimir HT @Packet_vlad. You don't have to have just a single field for a column, you can use OR to have multiple fields. Now I only use one column to get application response time for 7 protocols.

If you would like to copy this or the other profiles I use, go to https://wiresharkprofiles.com. I add filters and coloring rules often so watch for updates on twitter @PacketDetective. I have from a great source that in Wireshark 3.2 you will be able to import profiles from others much more easily. HT @rknall https://twitter.com/rknall/status/1151156714743443456

Please Share