WireShark ColorFilter declaration

WireSharkColorFilter.txt

# This file was created by Wireshark. Edit with care.
#
### ENABLED BY DEFAULT ###
#
# These ColoringRules will mark all TCP Retransmissions (and other interesting TCP
# events) with an easy to spot red background color. This makes it very easy to
# spot where PacketLoss occurs for TCP based protocols and can be used to quickly
# find performance issues related to PacketLoss.
#
# This filter requires that the preference for Analyzing TCP Sequence numbers has
# been enabled, or else the filter will not work. Make sure that the preference
# setting for this feature has been enabled:
#
# Copied from https://wiki.wireshark.org/TCP_Retransmissions_ColorFilter
#
@TCP retransmissions@tcp.analysis.flags@[65534,13425,11528][0,0,0]
#
###########################################
#
### ENABLED BY DEFAULT ###
#
# Copied from https://youtu.be/wYTg4zkoUg8?t=2808 by Johannes Weber (weberdns.de)
#
@DNS slow@dns.time > 0.03@[65535,43690,0][0,0,0]
@DNS very slow@dns.time > 1@[65535,21845,0][0,0,0]
@DNS dynamic update@dns.flags.opcode eq 5@[65535,43690,65535][0,0,0]
@DNS@dns && !(icmp) && !(icmpv6)@[65535,65535,0][0,0,0]
@IPv6 MLD Zeugs@icmpv6.type in {130,131,132,143}@[65535,65535,65535][51143,60652,59881]
@ICMPv6 DAD@icmpv6.type eq 135 && ipv6.src eq ::@[43690,65535,0][0,0,0]
@ICMPv6 NS/NA@icmpv6.type in {135,136}@[0,65535,65535][0,0,0]
@ICMPv6 RS/RA@icmpv6.type in {133,134}@[43690,21845,65535][0,0,0]
#
###########################################
#
### DISABLED BY DEFAULT ###
#
# This is a link[0] to Wireshark entries on my blog. Included are various coloring
# rules updates and font/icon size fixes for MacOSX/Linux.
#
# This is a general use set of Coloring Rules. I believe the colors are a little
# easier to view than some of the other sets here. I have updated these to be
# compatable with 0.10.13 as everything was being marked as red before.
#
# [0]: http://blog.tp.org/cgi-bin/mt-search.cgi?blog_id=3&tag=wireshark&limit=20
#
# Copied from https://wiki.wireshark.org/Jay's_Coloring_Rules
#
!@Attn@ tcp.analysis.flags || tcp.checksum_bad || udp.checksum_bad || ip.fragment.error || ip.fragment.overlap.conflict || ip.fragment.overlap@[52428,17476,17476][65535,65535,65535]
!@NW Change@(hsrp.state != 8  && hsrp.state !=16) || stp.type == 0x80 || ospf.msg != 1@[34952,34952,34952][65535,65535,0]
!@NW Traf@stp.protocol || cdp || hsrp || vrrp || ospf || bgp || eigrp || rip || gvrp || rtmp || igmp || eth.addr == 01:00:0c:cc:cc:cc@[34952,34952,34952][0,0,0]
!@Core Srvcs@arp || ntp || dns || udp.port == 67 || udp.port == 68@[34952,34952,43690][0,0,0]
!@Multicast@ip.dst > 224.0.0.0@[39321,48059,39321][0,0,0]
!@ICMP Err@icmp.type range 3 5 || icmp.type eq 11@[56540,52017,56540][65535,0,0]
!@ICMP@icmp@[56540,51914,56540][0,0,0]
!@RST@tcp.flags & 0x04@[61717,47055,24609][0,0,0]
!@SYN@tcp.flags & 0x02@[30583,65535,30583][607,3474,607]
!@FIN@tcp.flags & 0x01@[65535,34952,34952][0,0,0]
!@HTTP@http@[43734,43734,56797][0,0,0]
!@NetBIOS@netbios || nbns || smb || srvloc || srvsvc || nbss@[36700,36700,61166][0,0,0]
!@TCP@tcp@[53739,53739,65535][0,0,0]
!@UDP@udp@[60948,60948,65535][0,0,0]
#
###########################################
#
### DISABLED BY DEFAULT ###
#
# This is a General use Color Filter. I use it to distinguish some of the most
# used protocols on my network and my customers networks.
#
# Copied from https://wiki.wireshark.org/General_use_ColorFilter
#
!@NTP@ntp && !icmpv6 && !icmp@[65535,21845,65535][0,0,0]
!@httptcp@ tcp.srcport == 80 or tcp.dstport == 80@[38385,62683,65534][0,0,0]
!@DNS@dns@[19194,65534,32100][0,0,0]
!@ARP@arp@[65202,65533,24456][0,0,0]
!@icmp@icmp@[65534,8609,6712][0,0,0]
!@STP@stp@[65534,65534,65534][8262,42200,9408]
!@Netbios@tcp.srcport == 139 or tcp.dstport == 139 or  tcp.srcport == 138 or tcp.dstport == 138 or  tcp.srcport == 137 or tcp.dstport == 137 or udp.srcport == 139 or udp.dstport == 139 or  udp.srcport == 138 or udp.dstport == 138 or  udp.srcport == 137 or udp.dstport == 137@[7961,5947,65534][64045,65535,62556]
!@smtp@ tcp.srcport == 25 or tcp.dstport == 25@[65534,10208,51170][62059,62059,62059]
!@pop@ tcp.srcport == 110 or tcp.dstport == 110@[65534,7268,54440][0,0,0]
!@nntp@nntp@[49886,47154,63549][992,992,992]
!@snmp@snmp@[62556,52730,2142][7636,32644,64045]
!@igmp@igmp@[45944,5999,65534][0,0,0]
!@telnet@ tcp.srcport == 23 or tcp.dstport == 23@[9274,47661,3862][0,0,0]
!@tftp@tftp@[59220,3637,65534][0,0,0]
!@ftp@ftp@[62721,6393,65534][0,13490,65038]
!@Q931@q931@[14275,65534,25039][0,0,0]
!@rsvp@rsvp@[60324,7655,65534][63348,65535,9481]
!@CMIP@ udp.srcport == 164 or udp.dstport == 164@[47957,9122,9122][60977,63600,0]
!@tcp@tcp@[40555,49091,65534][0,0,0]
!@udp@udp@[39040,49264,65534][64542,64542,64542]
#
###########################################
#
### ENABLED BY DEFAULT ###
#
# The default
#
@Bad TCP@tcp.analysis.flags && !tcp.analysis.window_update && !tcp.analysis.keep_alive && !tcp.analysis.keep_alive_ack@[4626,10023,11822][63479,34695,34695]
@HSRP State Change@hsrp.state != 8 && hsrp.state != 16@[4626,10023,11822][65535,64764,40092]
@Spanning Tree Topology  Change@stp.type == 0x80@[4626,10023,11822][65535,64764,40092]
@OSPF State Change@ospf.msg != 1@[4626,10023,11822][65535,64764,40092]
@ICMP errors@icmp.type in { 3..5, 11 } || icmpv6.type in { 1..4 }@[4626,10023,11822][47031,63479,29812]
@ARP@arp@[64250,61680,55255][4626,10023,11822]
@ICMP@icmp || icmpv6@[64764,57568,65535][4626,10023,11822]
@TCP RST@tcp.flags.reset eq 1@[42148,0,0][65535,64764,40092]
@SCTP ABORT@sctp.chunk_type eq ABORT@[42148,0,0][65535,64764,40092]
@IPv4 TTL low or unexpected@(ip.dst != 224.0.0.0/4 && ip.ttl < 5 && !(pim || ospf || eigrp || bgp || tcp.port==179)) || (ip.dst == 224.0.0.0/24 && ip.dst != 224.0.0.251 && ip.ttl != 1 && !(vrrp || carp || eigrp || rip || glbp))@[42148,0,0][60652,61680,60395]
@IPv6 hop limit low or unexpected@(ipv6.dst != ff00::/8 && ipv6.hlim < 5 && !( ospf|| bgp || tcp.port==179)) || (ipv6.dst==ff00::/8 && ipv6.hlim not in {1, 64, 255})@[42148,0,0][60652,61680,60395]
@Checksum Errors@eth.fcs.status=="Bad" || ip.checksum.status=="Bad" || tcp.checksum.status=="Bad" || udp.checksum.status=="Bad" || sctp.checksum.status=="Bad" || mstp.checksum.status=="Bad" || cdp.checksum.status=="Bad" || edp.checksum.status=="Bad" || wlan.fcs.status=="Bad" || stt.checksum.status=="Bad"@[4626,10023,11822][63479,34695,34695]
@SMB@smb || nbss || nbns || netbios@[65278,65535,53456][4626,10023,11822]
@HTTP@http || tcp.port == 80 || http2@[58596,65535,51143][4626,10023,11822]
@DCERPC@dcerpc@[51143,38807,65535][4626,10023,11822]
@Routing@hsrp || eigrp || ospf || bgp || cdp || vrrp || carp || gvrp || igmp || ismp@[65535,62451,54998][4626,10023,11822]
@TCP SYN/FIN@tcp.flags & 0x02 || tcp.flags.fin == 1@[41120,41120,41120][4626,10023,11822]
@TCP@tcp@[59367,59110,65535][4626,10023,11822]
@UDP@udp@[56026,61166,65535][4626,10023,11822]
@Broadcast@eth[0] & 1@[65535,65535,65535][47802,48573,46774]
@System Event@systemd_journal || sysdig@[59110,59110,59110][11565,28527,39578]

WireSharkCustomColumns.md

Name	Filter
Destination	eth.dst
Geo Src City	ip.geoip.src_city or ipv6.geoip.src_city
Geo Dst City	ip.geoip.dst_city or ipv6.geoip.dst_city
VLAN-ID	vlan.id
Original Source triggering ICMP Error	ipv6.dst
ICMP type	icmp.type or icmpv6.type
TCP Stream-ID	tcp.stream
UDP Stream-ID	udp.stream or quic.connection.number
Hop Limit	ipv6.hlim or ip.ttl
DNS Query or Host or SNI	dns.qry.name or http.host or tls.handshake.extensions_server_name
Comment	frame.comment
HTTP/2 Stream-ID	http2.streamid

WireSharkDisplayFilters.md

Display Filters

Filter	Comment
dns	(payload only)
udp.port eq 53 or tcp.port eq 53	Unencrypted DNS
udp.port eq 53 or tcp.port eq 53 or ipv6.nxt eq 44 or ip.flags.mf eq 1	UDP-DNS fragmentation of the response packet