Skip to content

Instantly share code, notes, and snippets.

@netravnen
Last active November 27, 2024 19:03
Show Gist options
  • Save netravnen/e7309c5ed23eff8943b76298e3ae0016 to your computer and use it in GitHub Desktop.
Save netravnen/e7309c5ed23eff8943b76298e3ae0016 to your computer and use it in GitHub Desktop.
WireShark ColorFilter declaration
# This file was created by Wireshark. Edit with care.
#
### ENABLED BY DEFAULT ###
#
# These ColoringRules will mark all TCP Retransmissions (and other interesting TCP
# events) with an easy to spot red background color. This makes it very easy to
# spot where PacketLoss occurs for TCP based protocols and can be used to quickly
# find performance issues related to PacketLoss.
#
# This filter requires that the preference for Analyzing TCP Sequence numbers has
# been enabled, or else the filter will not work. Make sure that the preference
# setting for this feature has been enabled:
#
# Copied from https://wiki.wireshark.org/TCP_Retransmissions_ColorFilter
#
@TCP [email protected]@[65534,13425,11528][0,0,0]
#
###########################################
#
### ENABLED BY DEFAULT ###
#
# Copied from https://youtu.be/wYTg4zkoUg8?t=2808 by Johannes Weber (weberdns.de)
#
@DNS [email protected] > 0.03@[65535,43690,0][0,0,0]
@DNS very [email protected] > 1@[65535,21845,0][0,0,0]
@DNS dynamic [email protected] eq 5@[65535,43690,65535][0,0,0]
@DNS@dns && !(icmp) && !(icmpv6)@[65535,65535,0][0,0,0]
@IPv6 MLD [email protected] in {130,131,132,143}@[65535,65535,65535][51143,60652,59881]
@ICMPv6 [email protected] eq 135 && ipv6.src eq ::@[43690,65535,0][0,0,0]
@ICMPv6 NS/[email protected] in {135,136}@[0,65535,65535][0,0,0]
@ICMPv6 RS/[email protected] in {133,134}@[43690,21845,65535][0,0,0]
#
###########################################
#
### DISABLED BY DEFAULT ###
#
# This is a link[0] to Wireshark entries on my blog. Included are various coloring
# rules updates and font/icon size fixes for MacOSX/Linux.
#
# This is a general use set of Coloring Rules. I believe the colors are a little
# easier to view than some of the other sets here. I have updated these to be
# compatable with 0.10.13 as everything was being marked as red before.
#
# [0]: http://blog.tp.org/cgi-bin/mt-search.cgi?blog_id=3&tag=wireshark&limit=20
#
# Copied from https://wiki.wireshark.org/Jay's_Coloring_Rules
#
!@Attn@ tcp.analysis.flags || tcp.checksum_bad || udp.checksum_bad || ip.fragment.error || ip.fragment.overlap.conflict || ip.fragment.overlap@[52428,17476,17476][65535,65535,65535]
!@NW Change@(hsrp.state != 8 && hsrp.state !=16) || stp.type == 0x80 || ospf.msg != 1@[34952,34952,34952][65535,65535,0]
!@NW [email protected] || cdp || hsrp || vrrp || ospf || bgp || eigrp || rip || gvrp || rtmp || igmp || eth.addr == 01:00:0c:cc:cc:cc@[34952,34952,34952][0,0,0]
!@Core Srvcs@arp || ntp || dns || udp.port == 67 || udp.port == 68@[34952,34952,43690][0,0,0]
!@[email protected] > 224.0.0.0@[39321,48059,39321][0,0,0]
!@ICMP [email protected] range 3 5 || icmp.type eq 11@[56540,52017,56540][65535,0,0]
!@ICMP@icmp@[56540,51914,56540][0,0,0]
!@[email protected] & 0x04@[61717,47055,24609][0,0,0]
!@[email protected] & 0x02@[30583,65535,30583][607,3474,607]
!@[email protected] & 0x01@[65535,34952,34952][0,0,0]
!@HTTP@http@[43734,43734,56797][0,0,0]
!@NetBIOS@netbios || nbns || smb || srvloc || srvsvc || nbss@[36700,36700,61166][0,0,0]
!@TCP@tcp@[53739,53739,65535][0,0,0]
!@UDP@udp@[60948,60948,65535][0,0,0]
#
###########################################
#
### DISABLED BY DEFAULT ###
#
# This is a General use Color Filter. I use it to distinguish some of the most
# used protocols on my network and my customers networks.
#
# Copied from https://wiki.wireshark.org/General_use_ColorFilter
#
!@NTP@ntp && !icmpv6 && !icmp@[65535,21845,65535][0,0,0]
!@httptcp@ tcp.srcport == 80 or tcp.dstport == 80@[38385,62683,65534][0,0,0]
!@DNS@dns@[19194,65534,32100][0,0,0]
!@ARP@arp@[65202,65533,24456][0,0,0]
!@icmp@icmp@[65534,8609,6712][0,0,0]
!@STP@stp@[65534,65534,65534][8262,42200,9408]
!@[email protected] == 139 or tcp.dstport == 139 or tcp.srcport == 138 or tcp.dstport == 138 or tcp.srcport == 137 or tcp.dstport == 137 or udp.srcport == 139 or udp.dstport == 139 or udp.srcport == 138 or udp.dstport == 138 or udp.srcport == 137 or udp.dstport == 137@[7961,5947,65534][64045,65535,62556]
!@smtp@ tcp.srcport == 25 or tcp.dstport == 25@[65534,10208,51170][62059,62059,62059]
!@pop@ tcp.srcport == 110 or tcp.dstport == 110@[65534,7268,54440][0,0,0]
!@nntp@nntp@[49886,47154,63549][992,992,992]
!@snmp@snmp@[62556,52730,2142][7636,32644,64045]
!@igmp@igmp@[45944,5999,65534][0,0,0]
!@telnet@ tcp.srcport == 23 or tcp.dstport == 23@[9274,47661,3862][0,0,0]
!@tftp@tftp@[59220,3637,65534][0,0,0]
!@ftp@ftp@[62721,6393,65534][0,13490,65038]
!@Q931@q931@[14275,65534,25039][0,0,0]
!@rsvp@rsvp@[60324,7655,65534][63348,65535,9481]
!@CMIP@ udp.srcport == 164 or udp.dstport == 164@[47957,9122,9122][60977,63600,0]
!@tcp@tcp@[40555,49091,65534][0,0,0]
!@udp@udp@[39040,49264,65534][64542,64542,64542]
#
###########################################
#
### ENABLED BY DEFAULT ###
#
# The default
#
@Bad [email protected] && !tcp.analysis.window_update && !tcp.analysis.keep_alive && !tcp.analysis.keep_alive_ack@[4626,10023,11822][63479,34695,34695]
@HSRP State [email protected] != 8 && hsrp.state != 16@[4626,10023,11822][65535,64764,40092]
@Spanning Tree Topology [email protected] == 0x80@[4626,10023,11822][65535,64764,40092]
@OSPF State [email protected] != 1@[4626,10023,11822][65535,64764,40092]
@ICMP [email protected] in { 3..5, 11 } || icmpv6.type in { 1..4 }@[4626,10023,11822][47031,63479,29812]
@ARP@arp@[64250,61680,55255][4626,10023,11822]
@ICMP@icmp || icmpv6@[64764,57568,65535][4626,10023,11822]
@TCP [email protected] eq 1@[42148,0,0][65535,64764,40092]
@SCTP [email protected]_type eq ABORT@[42148,0,0][65535,64764,40092]
@IPv4 TTL low or unexpected@(ip.dst != 224.0.0.0/4 && ip.ttl < 5 && !(pim || ospf || eigrp || bgp || tcp.port==179)) || (ip.dst == 224.0.0.0/24 && ip.dst != 224.0.0.251 && ip.ttl != 1 && !(vrrp || carp || eigrp || rip || glbp))@[42148,0,0][60652,61680,60395]
@IPv6 hop limit low or unexpected@(ipv6.dst != ff00::/8 && ipv6.hlim < 5 && !( ospf|| bgp || tcp.port==179)) || (ipv6.dst==ff00::/8 && ipv6.hlim not in {1, 64, 255})@[42148,0,0][60652,61680,60395]
@Checksum [email protected]=="Bad" || ip.checksum.status=="Bad" || tcp.checksum.status=="Bad" || udp.checksum.status=="Bad" || sctp.checksum.status=="Bad" || mstp.checksum.status=="Bad" || cdp.checksum.status=="Bad" || edp.checksum.status=="Bad" || wlan.fcs.status=="Bad" || stt.checksum.status=="Bad"@[4626,10023,11822][63479,34695,34695]
@SMB@smb || nbss || nbns || netbios@[65278,65535,53456][4626,10023,11822]
@HTTP@http || tcp.port == 80 || http2@[58596,65535,51143][4626,10023,11822]
@DCERPC@dcerpc@[51143,38807,65535][4626,10023,11822]
@Routing@hsrp || eigrp || ospf || bgp || cdp || vrrp || carp || gvrp || igmp || ismp@[65535,62451,54998][4626,10023,11822]
@TCP SYN/[email protected] & 0x02 || tcp.flags.fin == 1@[41120,41120,41120][4626,10023,11822]
@TCP@tcp@[59367,59110,65535][4626,10023,11822]
@UDP@udp@[56026,61166,65535][4626,10023,11822]
@Broadcast@eth[0] & 1@[65535,65535,65535][47802,48573,46774]
@System Event@systemd_journal || sysdig@[59110,59110,59110][11565,28527,39578]
Name Filter
Destination eth.dst
Geo Src City ip.geoip.src_city or ipv6.geoip.src_city
Geo Dst City ip.geoip.dst_city or ipv6.geoip.dst_city
VLAN-ID vlan.id
Original Source triggering ICMP Error ipv6.dst
ICMP type icmp.type or icmpv6.type
TCP Stream-ID tcp.stream
UDP Stream-ID udp.stream or quic.connection.number
Hop Limit ipv6.hlim or ip.ttl
DNS Query or Host or SNI dns.qry.name or http.host or tls.handshake.extensions_server_name
Comment frame.comment
HTTP/2 Stream-ID http2.streamid

Display Filters

Filter Comment
dns (payload only)
udp.port eq 53 or tcp.port eq 53 Unencrypted DNS
udp.port eq 53 or tcp.port eq 53 or ipv6.nxt eq 44 or ip.flags.mf eq 1 UDP-DNS fragmentation of the response packet
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment