Name | Filter |
---|---|
Destination | eth.dst |
Geo Src City | ip.geoip.src_city or ipv6.geoip.src_city |
Geo Dst City | ip.geoip.dst_city or ipv6.geoip.dst_city |
VLAN-ID | vlan.id |
Original Source triggering ICMP Error | ipv6.dst |
ICMP type | icmp.type or icmpv6.type |
TCP Stream-ID | tcp.stream |
UDP Stream-ID | udp.stream or quic.connection.number |
Hop Limit | ipv6.hlim or ip.ttl |
DNS Query or Host or SNI | dns.qry.name or http.host or tls.handshake.extensions_server_name |
Comment | frame.comment |
HTTP/2 Stream-ID | http2.streamid |
Last active
November 27, 2024 19:03
-
-
Save netravnen/e7309c5ed23eff8943b76298e3ae0016 to your computer and use it in GitHub Desktop.
WireShark ColorFilter declaration
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# This file was created by Wireshark. Edit with care. | |
# | |
### ENABLED BY DEFAULT ### | |
# | |
# These ColoringRules will mark all TCP Retransmissions (and other interesting TCP | |
# events) with an easy to spot red background color. This makes it very easy to | |
# spot where PacketLoss occurs for TCP based protocols and can be used to quickly | |
# find performance issues related to PacketLoss. | |
# | |
# This filter requires that the preference for Analyzing TCP Sequence numbers has | |
# been enabled, or else the filter will not work. Make sure that the preference | |
# setting for this feature has been enabled: | |
# | |
# Copied from https://wiki.wireshark.org/TCP_Retransmissions_ColorFilter | |
# | |
@TCP [email protected]@[65534,13425,11528][0,0,0] | |
# | |
########################################### | |
# | |
### ENABLED BY DEFAULT ### | |
# | |
# Copied from https://youtu.be/wYTg4zkoUg8?t=2808 by Johannes Weber (weberdns.de) | |
# | |
@DNS [email protected] > 0.03@[65535,43690,0][0,0,0] | |
@DNS very [email protected] > 1@[65535,21845,0][0,0,0] | |
@DNS dynamic [email protected] eq 5@[65535,43690,65535][0,0,0] | |
@DNS@dns && !(icmp) && !(icmpv6)@[65535,65535,0][0,0,0] | |
@IPv6 MLD [email protected] in {130,131,132,143}@[65535,65535,65535][51143,60652,59881] | |
@ICMPv6 [email protected] eq 135 && ipv6.src eq ::@[43690,65535,0][0,0,0] | |
@ICMPv6 NS/[email protected] in {135,136}@[0,65535,65535][0,0,0] | |
@ICMPv6 RS/[email protected] in {133,134}@[43690,21845,65535][0,0,0] | |
# | |
########################################### | |
# | |
### DISABLED BY DEFAULT ### | |
# | |
# This is a link[0] to Wireshark entries on my blog. Included are various coloring | |
# rules updates and font/icon size fixes for MacOSX/Linux. | |
# | |
# This is a general use set of Coloring Rules. I believe the colors are a little | |
# easier to view than some of the other sets here. I have updated these to be | |
# compatable with 0.10.13 as everything was being marked as red before. | |
# | |
# [0]: http://blog.tp.org/cgi-bin/mt-search.cgi?blog_id=3&tag=wireshark&limit=20 | |
# | |
# Copied from https://wiki.wireshark.org/Jay's_Coloring_Rules | |
# | |
!@Attn@ tcp.analysis.flags || tcp.checksum_bad || udp.checksum_bad || ip.fragment.error || ip.fragment.overlap.conflict || ip.fragment.overlap@[52428,17476,17476][65535,65535,65535] | |
!@NW Change@(hsrp.state != 8 && hsrp.state !=16) || stp.type == 0x80 || ospf.msg != 1@[34952,34952,34952][65535,65535,0] | |
!@NW [email protected] || cdp || hsrp || vrrp || ospf || bgp || eigrp || rip || gvrp || rtmp || igmp || eth.addr == 01:00:0c:cc:cc:cc@[34952,34952,34952][0,0,0] | |
!@Core Srvcs@arp || ntp || dns || udp.port == 67 || udp.port == 68@[34952,34952,43690][0,0,0] | |
!@[email protected] > 224.0.0.0@[39321,48059,39321][0,0,0] | |
!@ICMP [email protected] range 3 5 || icmp.type eq 11@[56540,52017,56540][65535,0,0] | |
!@ICMP@icmp@[56540,51914,56540][0,0,0] | |
!@[email protected] & 0x04@[61717,47055,24609][0,0,0] | |
!@[email protected] & 0x02@[30583,65535,30583][607,3474,607] | |
!@[email protected] & 0x01@[65535,34952,34952][0,0,0] | |
!@HTTP@http@[43734,43734,56797][0,0,0] | |
!@NetBIOS@netbios || nbns || smb || srvloc || srvsvc || nbss@[36700,36700,61166][0,0,0] | |
!@TCP@tcp@[53739,53739,65535][0,0,0] | |
!@UDP@udp@[60948,60948,65535][0,0,0] | |
# | |
########################################### | |
# | |
### DISABLED BY DEFAULT ### | |
# | |
# This is a General use Color Filter. I use it to distinguish some of the most | |
# used protocols on my network and my customers networks. | |
# | |
# Copied from https://wiki.wireshark.org/General_use_ColorFilter | |
# | |
!@NTP@ntp && !icmpv6 && !icmp@[65535,21845,65535][0,0,0] | |
!@httptcp@ tcp.srcport == 80 or tcp.dstport == 80@[38385,62683,65534][0,0,0] | |
!@DNS@dns@[19194,65534,32100][0,0,0] | |
!@ARP@arp@[65202,65533,24456][0,0,0] | |
!@icmp@icmp@[65534,8609,6712][0,0,0] | |
!@STP@stp@[65534,65534,65534][8262,42200,9408] | |
!@[email protected] == 139 or tcp.dstport == 139 or tcp.srcport == 138 or tcp.dstport == 138 or tcp.srcport == 137 or tcp.dstport == 137 or udp.srcport == 139 or udp.dstport == 139 or udp.srcport == 138 or udp.dstport == 138 or udp.srcport == 137 or udp.dstport == 137@[7961,5947,65534][64045,65535,62556] | |
!@smtp@ tcp.srcport == 25 or tcp.dstport == 25@[65534,10208,51170][62059,62059,62059] | |
!@pop@ tcp.srcport == 110 or tcp.dstport == 110@[65534,7268,54440][0,0,0] | |
!@nntp@nntp@[49886,47154,63549][992,992,992] | |
!@snmp@snmp@[62556,52730,2142][7636,32644,64045] | |
!@igmp@igmp@[45944,5999,65534][0,0,0] | |
!@telnet@ tcp.srcport == 23 or tcp.dstport == 23@[9274,47661,3862][0,0,0] | |
!@tftp@tftp@[59220,3637,65534][0,0,0] | |
!@ftp@ftp@[62721,6393,65534][0,13490,65038] | |
!@Q931@q931@[14275,65534,25039][0,0,0] | |
!@rsvp@rsvp@[60324,7655,65534][63348,65535,9481] | |
!@CMIP@ udp.srcport == 164 or udp.dstport == 164@[47957,9122,9122][60977,63600,0] | |
!@tcp@tcp@[40555,49091,65534][0,0,0] | |
!@udp@udp@[39040,49264,65534][64542,64542,64542] | |
# | |
########################################### | |
# | |
### ENABLED BY DEFAULT ### | |
# | |
# The default | |
# | |
@Bad [email protected] && !tcp.analysis.window_update && !tcp.analysis.keep_alive && !tcp.analysis.keep_alive_ack@[4626,10023,11822][63479,34695,34695] | |
@HSRP State [email protected] != 8 && hsrp.state != 16@[4626,10023,11822][65535,64764,40092] | |
@Spanning Tree Topology [email protected] == 0x80@[4626,10023,11822][65535,64764,40092] | |
@OSPF State [email protected] != 1@[4626,10023,11822][65535,64764,40092] | |
@ICMP [email protected] in { 3..5, 11 } || icmpv6.type in { 1..4 }@[4626,10023,11822][47031,63479,29812] | |
@ARP@arp@[64250,61680,55255][4626,10023,11822] | |
@ICMP@icmp || icmpv6@[64764,57568,65535][4626,10023,11822] | |
@TCP [email protected] eq 1@[42148,0,0][65535,64764,40092] | |
@SCTP [email protected]_type eq ABORT@[42148,0,0][65535,64764,40092] | |
@IPv4 TTL low or unexpected@(ip.dst != 224.0.0.0/4 && ip.ttl < 5 && !(pim || ospf || eigrp || bgp || tcp.port==179)) || (ip.dst == 224.0.0.0/24 && ip.dst != 224.0.0.251 && ip.ttl != 1 && !(vrrp || carp || eigrp || rip || glbp))@[42148,0,0][60652,61680,60395] | |
@IPv6 hop limit low or unexpected@(ipv6.dst != ff00::/8 && ipv6.hlim < 5 && !( ospf|| bgp || tcp.port==179)) || (ipv6.dst==ff00::/8 && ipv6.hlim not in {1, 64, 255})@[42148,0,0][60652,61680,60395] | |
@Checksum [email protected]=="Bad" || ip.checksum.status=="Bad" || tcp.checksum.status=="Bad" || udp.checksum.status=="Bad" || sctp.checksum.status=="Bad" || mstp.checksum.status=="Bad" || cdp.checksum.status=="Bad" || edp.checksum.status=="Bad" || wlan.fcs.status=="Bad" || stt.checksum.status=="Bad"@[4626,10023,11822][63479,34695,34695] | |
@SMB@smb || nbss || nbns || netbios@[65278,65535,53456][4626,10023,11822] | |
@HTTP@http || tcp.port == 80 || http2@[58596,65535,51143][4626,10023,11822] | |
@DCERPC@dcerpc@[51143,38807,65535][4626,10023,11822] | |
@Routing@hsrp || eigrp || ospf || bgp || cdp || vrrp || carp || gvrp || igmp || ismp@[65535,62451,54998][4626,10023,11822] | |
@TCP SYN/[email protected] & 0x02 || tcp.flags.fin == 1@[41120,41120,41120][4626,10023,11822] | |
@TCP@tcp@[59367,59110,65535][4626,10023,11822] | |
@UDP@udp@[56026,61166,65535][4626,10023,11822] | |
@Broadcast@eth[0] & 1@[65535,65535,65535][47802,48573,46774] | |
@System Event@systemd_journal || sysdig@[59110,59110,59110][11565,28527,39578] |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment