The customization will allow you to have your own markers and shortcuts in the interface to facilitate the analysis of packets later. The main interface of Wireshark is divided into 4 parts :
- Part 1 includes the different menus, buttons and the display filter bar
- Part 2 contains the list of captured packets, we will see later how to customize the columns
- Part 3 contains the details of the package selected in part 2.
- The 4th part contains the Hexadecimal and text version view of the package. This part also contains the status bar at the very bottom of the interface, it shows information such as the name of the profile currently in use, the total number of packets in the capture and the number of packets displayed, and other information about the capture file.
1 Profiles
In Wireshark, the profile allows you to customize many parameters and this allows you to quickly adapt the configuration to the type of capture you want to make (WLAN, Ethernet, Application, …). The profile allows you to customize :
- Preferences
- Capture filters
- Display filters
- Color rules
- Disabled protocols
- Macros
- Some display settings
By default, the profiles are located in the directory :
C:\Users\<username>\AppData\Roaming\Wireshark\profiles\<profile name>
The name of the directory then corresponds to the name of the profile. You can therefore import profiles by adding them to this directory.
To access the profile management interface, right-click on : “Profile: <Active profile name>”, then select “Manage profiles”.
Here you can create a new profile by clicking on the ( + ) , delete one by clicking on the ( – ) or copy one ().
2 Columns
In the package visualization interface, it is possible to select the information you want to display in the columns and the way they are displayed. This is very useful to have the information quickly in front of you and to facilitate reading.
There are two ways to choose the columns you want to display :
- The first is via the menu Edit > Preferences :
You can add columns with the ( + ), remove them with the ( – ), you can also change the way the information is displayed by clicking in the Type way, for example you can change the way the time is shown. For personalized columns, you must then fill in the field with the field you want to see appear.
- The second method consists in selecting in the details of a package the field you want to appear in a column by right-clicking and then “Apply as column”
You can also remove columns by right-clicking on them and selecting “Remove this column”.
Once you have selected all your columns, you can use the “Auto-Size Columns” option to automatically adjust the width of each column.
Here are some examples of columns and associated fields:
| Name | Field |
| Frame Number | frame.number |
| Receiver Adress | wlan.ra |
| Transmitter Adress | wlan.ta |
| Destination Adress | wlan.da |
| Source Adress | wlan.sa |
| SSID | wlan.ssid |
| PHY | wlan_radio.phy |
| Data rates | wlan_radio.data_rate |
| Channel | wlan_radio.channel |
You can find all the fields available here :https://www.wireshark.org/docs/dfref/w/wlan_radio.html
and https://www.wireshark.org/docs/dfref/w/wlan.html
3 Colorization
Colorization helps to quickly identify packets in the list according to some predefined criteria, it can be by type of frame, if the frame has been retransmitted or not, by channel, by signal strength, … It is possible to change the background as well as the writing color. There are two ways to create coloring filters :
- The first is by opening the menu View > Colorizing rules and then creating and editing the colorizing rules as you wish, you can then check or uncheck a rule to activate or deactivate it. If a package corresponds to several filters, the first one in the list is taken into account, so the order is important and can be modified with a drag and drop.
- The second method consists of selecting the field you want to apply as a filter in the package details, right-clicking on it, and applying a colorization rule to it. This will then apply it to all the packages corresponding to the same filter on the selected package. Again, the order of application of the rules is important, because the first one that matches is applied.
2.4 Le nommage des équipements
In order to facilitate the reading of the packets, it is also possible to replace the MAC address of an equipment, that makes it possible to find it then in a more readable way. To do this, simply modify the “ether” file located in the directory:
C:\Users\<User name>AppData\Roaming\Wireshark\Profiles<Profile name>.
In this file, you must first put the MAC address (in the format XX:XX:XX:XX:XX:XX) followed by the name of the equipment, separated by a space. Here is an example of a file:
02:12:C7:E3:FD:38 XcoverPro EA:83:E5:38:09:84 Xcover5 E6:CA:41:00:4B:DF Zebra 00:DC:B2:2B:02:10 AP1 00:DC:B2:2B:27:50 AP2 00:DC:B2:2B:3F:70 AP3
Once the file is saved, Wireshark must be restarted and here is the result:
