This is the most stupid question I asked to my boss (in my memory) in my entire career. Ages after I now recollect this question with a laugh inside my heart and wanted to write on it as this is typically a common and silly doubt in most of newborn security babies may have in their heads when they first look at Wireshark capture window.
Wireshark uses packet colorization; in a nutshell, Wireshark has a predefined coloring rules for certain packets. We can also define such coloring rules of packet based on keywords or filters. Wireshark allows us to do this in 2 ways:
- Temporarily Colorization - coloring rule will remains until Wireshark window gets restart.
- Permanent Colorization - coloring rule will remains even if Wireshark window gets restarted.
To temporarily add/change color of a packet, you can right click on the respective packet and choose any of the given color from
Colorize Conversion menu.
For permanent colorization, you can select the
Coloring rules from view menu and change an existing color from the list or even can add a new color for an explicit user defined rule.
For such user defined rules, I’m considering a scenario here. Assume user A is performing Google search for “exploit-db”. Now you have the whole Wireshark capture and want to find out all packets that contain keyword “exploit-db”.
This can be done by adding a filter
tcp contains exploit-db. We can add a permanent coloring categorization rule for this scenario by clicking New in wireshark coloring rules window as shown in the above screenshot. Wireshark screen will now look as shown in the below screenshot after we apply this rule. It is also possible to import coloring rules from rule signature files.
Most of the time, we miss learning the fundamentals and these simple things could make a lot of sense while dealing with more complex scenarios. It is important to get trained on how to learn. This is just one of such example from my own experience.