WireShark ColorFilter declaration

WireSharkColorFilter.txt

# This file was created by Wireshark. Edit with care.
#
### ENABLED BY DEFAULT ###
#
# These ColoringRules will mark all TCP Retransmissions (and other interesting TCP
# events) with an easy to spot red background color. This makes it very easy to
# spot where PacketLoss occurs for TCP based protocols and can be used to quickly
# find performance issues related to PacketLoss.
#
# This filter requires that the preference for Analyzing TCP Sequence numbers has
# been enabled, or else the filter will not work. Make sure that the preference
# setting for this feature has been enabled:
#
# Copied from https://wiki.wireshark.org/TCP_Retransmissions_ColorFilter
#
@TCP [email protected]@[65534,13425,11528][0,0,0]
#
###########################################
#
### ENABLED BY DEFAULT ###
#
# Copied from https://youtu.be/wYTg4zkoUg8?t=2808 by Johannes Weber (weberdns.de)
#
@DNS [email protected] > 0.03@[65535,43690,0][0,0,0]
@DNS very [email protected] > 1@[65535,21845,0][0,0,0]
@DNS dynamic [email protected] eq 5@[65535,43690,65535][0,0,0]
@DNS@dns && !(icmp) && !(icmpv6)@[65535,65535,0][0,0,0]
@IPv6 MLD [email protected] in {130,131,132,143}@[65535,65535,65535][51143,60652,59881]
@ICMPv6 [email protected] eq 135 && ipv6.src eq ::@[43690,65535,0][0,0,0]
@ICMPv6 NS/[email protected] in {135,136}@[0,65535,65535][0,0,0]
@ICMPv6 RS/[email protected] in {133,134}@[43690,21845,65535][0,0,0]
#
###########################################
#
### DISABLED BY DEFAULT ###
#
# This is a link[0] to Wireshark entries on my blog. Included are various coloring
# rules updates and font/icon size fixes for MacOSX/Linux.
#
# This is a general use set of Coloring Rules. I believe the colors are a little
# easier to view than some of the other sets here. I have updated these to be
# compatable with 0.10.13 as everything was being marked as red before.
#
# [0]: http://blog.tp.org/cgi-bin/mt-search.cgi?blog_id=3&tag=wireshark&limit=20
#
# Copied from https://wiki.wireshark.org/Jay's_Coloring_Rules
#
!@Attn@ tcp.analysis.flags || tcp.checksum_bad || udp.checksum_bad || ip.fragment.error || ip.fragment.overlap.conflict || ip.fragment.overlap@[52428,17476,17476][65535,65535,65535]
!@NW Change@(hsrp.state != 8  && hsrp.state !=16) || stp.type == 0x80 || ospf.msg != 1@[34952,34952,34952][65535,65535,0]
!@NW [email protected] || cdp || hsrp || vrrp || ospf || bgp || eigrp || rip || gvrp || rtmp || igmp || eth.addr == 01:00:0c:cc:cc:cc@[34952,34952,34952][0,0,0]
!@Core Srvcs@arp || ntp || dns || udp.port == 67 || udp.port == 68@[34952,34952,43690][0,0,0]
!@[email protected] > 224.0.0.0@[39321,48059,39321][0,0,0]
!@ICMP [email protected] range 3 5 || icmp.type eq 11@[56540,52017,56540][65535,0,0]
!@ICMP@icmp@[56540,51914,56540][0,0,0]
!@[email protected] & 0x04@[61717,47055,24609][0,0,0]
!@[email protected] & 0x02@[30583,65535,30583][607,3474,607]
!@[email protected] & 0x01@[65535,34952,34952][0,0,0]
!@HTTP@http@[43734,43734,56797][0,0,0]
!@NetBIOS@netbios || nbns || smb || srvloc || srvsvc || nbss@[36700,36700,61166][0,0,0]
!@TCP@tcp@[53739,53739,65535][0,0,0]
!@UDP@udp@[60948,60948,65535][0,0,0]
#
###########################################
#
### DISABLED BY DEFAULT ###
#
# This is a General use Color Filter. I use it to distinguish some of the most
# used protocols on my network and my customers networks.
#
# Copied from https://wiki.wireshark.org/General_use_ColorFilter
#
!@NTP@ntp && !icmpv6 && !icmp@[65535,21845,65535][0,0,0]
!@httptcp@ tcp.srcport == 80 or tcp.dstport == 80@[38385,62683,65534][0,0,0]
!@DNS@dns@[19194,65534,32100][0,0,0]
!@ARP@arp@[65202,65533,24456][0,0,0]
!@icmp@icmp@[65534,8609,6712][0,0,0]
!@STP@stp@[65534,65534,65534][8262,42200,9408]
!@[email protected] == 139 or tcp.dstport == 139 or  tcp.srcport == 138 or tcp.dstport == 138 or  tcp.srcport == 137 or tcp.dstport == 137 or udp.srcport == 139 or udp.dstport == 139 or  udp.srcport == 138 or udp.dstport == 138 or  udp.srcport == 137 or udp.dstport == 137@[7961,5947,65534][64045,65535,62556]
!@smtp@ tcp.srcport == 25 or tcp.dstport == 25@[65534,10208,51170][62059,62059,62059]
!@pop@ tcp.srcport == 110 or tcp.dstport == 110@[65534,7268,54440][0,0,0]
!@nntp@nntp@[49886,47154,63549][992,992,992]
!@snmp@snmp@[62556,52730,2142][7636,32644,64045]
!@igmp@igmp@[45944,5999,65534][0,0,0]
!@telnet@ tcp.srcport == 23 or tcp.dstport == 23@[9274,47661,3862][0,0,0]
!@tftp@tftp@[59220,3637,65534][0,0,0]
!@ftp@ftp@[62721,6393,65534][0,13490,65038]
!@Q931@q931@[14275,65534,25039][0,0,0]
!@rsvp@rsvp@[60324,7655,65534][63348,65535,9481]
!@CMIP@ udp.srcport == 164 or udp.dstport == 164@[47957,9122,9122][60977,63600,0]
!@tcp@tcp@[40555,49091,65534][0,0,0]
!@udp@udp@[39040,49264,65534][64542,64542,64542]
#
###########################################
#
### ENABLED BY DEFAULT ###
#
# The default
#
@Bad [email protected] && !tcp.analysis.window_update && !tcp.analysis.keep_alive && !tcp.analysis.keep_alive_ack@[4626,10023,11822][63479,34695,34695]
@HSRP State [email protected] != 8 && hsrp.state != 16@[4626,10023,11822][65535,64764,40092]
@Spanning Tree Topology  [email protected] == 0x80@[4626,10023,11822][65535,64764,40092]
@OSPF State [email protected] != 1@[4626,10023,11822][65535,64764,40092]
@ICMP [email protected] in { 3..5, 11 } || icmpv6.type in { 1..4 }@[4626,10023,11822][47031,63479,29812]
@ARP@arp@[64250,61680,55255][4626,10023,11822]
@ICMP@icmp || icmpv6@[64764,57568,65535][4626,10023,11822]
@TCP [email protected] eq 1@[42148,0,0][65535,64764,40092]
@SCTP [email protected]_type eq ABORT@[42148,0,0][65535,64764,40092]
@IPv4 TTL low or unexpected@(ip.dst != 224.0.0.0/4 && ip.ttl < 5 && !(pim || ospf || eigrp || bgp || tcp.port==179)) || (ip.dst == 224.0.0.0/24 && ip.dst != 224.0.0.251 && ip.ttl != 1 && !(vrrp || carp || eigrp || rip || glbp))@[42148,0,0][60652,61680,60395]
@IPv6 hop limit low or unexpected@(ipv6.dst != ff00::/8 && ipv6.hlim < 5 && !( ospf|| bgp || tcp.port==179)) || (ipv6.dst==ff00::/8 && ipv6.hlim not in {1, 64, 255})@[42148,0,0][60652,61680,60395]
@Checksum [email protected]=="Bad" || ip.checksum.status=="Bad" || tcp.checksum.status=="Bad" || udp.checksum.status=="Bad" || sctp.checksum.status=="Bad" || mstp.checksum.status=="Bad" || cdp.checksum.status=="Bad" || edp.checksum.status=="Bad" || wlan.fcs.status=="Bad" || stt.checksum.status=="Bad"@[4626,10023,11822][63479,34695,34695]
@SMB@smb || nbss || nbns || netbios@[65278,65535,53456][4626,10023,11822]
@HTTP@http || tcp.port == 80 || http2@[58596,65535,51143][4626,10023,11822]
@DCERPC@dcerpc@[51143,38807,65535][4626,10023,11822]
@Routing@hsrp || eigrp || ospf || bgp || cdp || vrrp || carp || gvrp || igmp || ismp@[65535,62451,54998][4626,10023,11822]
@TCP SYN/[email protected] & 0x02 || tcp.flags.fin == 1@[41120,41120,41120][4626,10023,11822]
@TCP@tcp@[59367,59110,65535][4626,10023,11822]
@UDP@udp@[56026,61166,65535][4626,10023,11822]
@Broadcast@eth[0] & 1@[65535,65535,65535][47802,48573,46774]
@System Event@systemd_journal || sysdig@[59110,59110,59110][11565,28527,39578]

WireSharkCustomColumns.md

Name	Filter
Destination	eth.dst
Geo Src City	ip.geoip.src_city or ipv6.geoip.src_city
Geo Dst City	ip.geoip.dst_city or ipv6.geoip.dst_city
VLAN-ID	vlan.id
Original Source triggering ICMP Error	ipv6.dst
ICMP type	icmp.type or icmpv6.type
TCP Stream-ID	tcp.stream
UDP Stream-ID	udp.stream or quic.connection.number
Hop Limit	ipv6.hlim or ip.ttl
DNS Query or Host or SNI	dns.qry.name or http.host or tls.handshake.extensions_server_name
Comment	frame.comment
HTTP/2 Stream-ID	http2.streamid

WireSharkDisplayFilters.md

Display Filters

Filter	Comment
dns	(payload only)
udp.port eq 53 or tcp.port eq 53	Unencrypted DNS
udp.port eq 53 or tcp.port eq 53 or ipv6.nxt eq 44 or ip.flags.mf eq 1	UDP-DNS fragmentation of the response packet