1
00:00:00,000 --> 00:00:08,373



2
00:00:08,389 --> 00:00:12,359
Ok, our next module will be on colorizing.

3
00:00:12,359 --> 00:00:14,811
So, colorizing is an option 

4
00:00:14,811 --> 00:00:16,541
that you have within Wireshark.

5
00:00:16,541 --> 00:00:21,026
It's not the most glamorous option

6
00:00:21,029 --> 00:00:23,117
available within Wireshark but

7
00:00:23,128 --> 00:00:26,152
it's definitely helpful. It's good for when

8
00:00:26,152 --> 00:00:27,796
you want to customize your data.

9
00:00:27,796 --> 00:00:31,243
Or I should say, the data that you're

10
00:00:31,253 --> 00:00:33,375
shown in the capture window.

11
00:00:33,378 --> 00:00:37,335
And it's very, very helpful for when you want

12
00:00:37,335 --> 00:00:40,942
to specifically target data that you know about.

13
00:00:40,942 --> 00:00:45,596
So, why do we set up coloring rules?

14
00:00:45,596 --> 00:00:49,429
Ease of use - you want to basically get in.

15
00:00:49,437 --> 00:00:52,462
You want to set up Wireshark in a way

16
00:00:52,467 --> 00:00:55,958
where when you start troubleshooting data,

17
00:00:55,971 --> 00:00:58,186
specific data, like for example,

18
00:00:58,179 --> 00:01:00,314
tracking a conversation is brought

19
00:01:00,314 --> 00:01:01,863
to the fore front to view.

20
00:01:01,863 --> 00:01:06,642
A lot of times we are creatures

21
00:01:06,651 --> 00:01:10,374
that we see things, we react to them.

22
00:01:10,384 --> 00:01:13,027
So that when you see something, for example

23
00:01:13,024 --> 00:01:15,208
that is very bold and colorful,

24
00:01:15,205 --> 00:01:17,266
or stands out to you or you configure it

25
00:01:17,272 --> 00:01:20,416
to do so, you can quickly view it

26
00:01:20,416 --> 00:01:22,395
and start drilling down into it.

27
00:01:22,395 --> 00:01:27,154
So essentially, that's one of the major reasons.

28
00:01:27,154 --> 00:01:30,223
Other reasons is that you may have

29
00:01:30,223 --> 00:01:31,791
data that you want to separate.

30
00:01:31,791 --> 00:01:33,879
So for example, if you have ethernet,

31
00:01:33,879 --> 00:01:35,885
and you have multiple frame types

32
00:01:35,885 --> 00:01:38,167
or something of that nature, you may want

33
00:01:38,164 --> 00:01:39,869
to highlight them with colors.

34
00:01:39,869 --> 00:01:43,141
You may want to dissect

35
00:01:43,144 --> 00:01:45,224
specific things in your capture

36
00:01:45,227 --> 00:01:47,138
to show up in a certain way where

37
00:01:47,134 --> 00:01:49,526
if you saw them, if you did not colorize

38
00:01:49,536 --> 00:01:52,128
some of it, you may miss it.

39
00:01:52,124 --> 00:01:54,125
It may be confusing to you.

40
00:01:54,121 --> 00:01:57,582
So, that's essentially why you're going

41
00:01:57,578 --> 00:02:00,638
to set up coloring rules.

42
00:02:00,643 --> 00:02:03,782
So, just so you know, obviously when you

43
00:02:03,798 --> 00:02:06,071
install Wireshark, there's a default set,

44
00:02:06,067 --> 00:02:08,735
default set of colors or coloring rule

45
00:02:08,743 --> 00:02:11,538
that are in use and a lot of them

46
00:02:11,549 --> 00:02:15,393
are things that you've probably

47
00:02:15,386 --> 00:02:18,002
commonly seen if you've used Wireshark.

48
00:02:18,017 --> 00:02:20,248
Generally, something show up

49
00:02:20,244 --> 00:02:22,364
when the Expert flags it.

50
00:02:22,367 --> 00:02:24,116
It will show up as a certain color

51
00:02:24,112 --> 00:02:26,784
so that you know that it was flagged.

52
00:02:26,778 --> 00:02:29,744
But particularly, there's 2 major

53
00:02:29,744 --> 00:02:30,841
components of the rule.

54
00:02:30,841 --> 00:02:33,490
And that's things that are set up permanently,

55
00:02:33,490 --> 00:02:35,880
and things that are set up temporarily.

56
00:02:35,889 --> 00:02:40,646
So, when you open up your capture,

57
00:02:40,646 --> 00:02:43,079
you may want to say, just for this session,

58
00:02:43,079 --> 00:02:44,835
or just for this capture,

59
00:02:44,835 --> 00:02:48,409
I want to just flag this in particular in this color.

60
00:02:48,409 --> 00:02:51,098
So you can go in and do that.

61
00:02:51,098 --> 00:02:54,349
And then there's more permanent things

62
00:02:54,349 --> 00:02:55,986
that you may want to always leave

63
00:02:55,986 --> 00:03:00,658
status quo. So there's many ways to colorize.

64
00:03:00,658 --> 00:03:02,875
There are dialog box options.

65
00:03:02,875 --> 00:03:04,906
So you could go into the dialog box

66
00:03:04,905 --> 00:03:07,226
as well as the context menu

67
00:03:07,223 --> 00:03:10,957
In this section here, you will see the,

68
00:03:10,952 --> 00:03:13,626
the dialogue box, the coloring rule.

69
00:03:13,649 --> 00:03:15,274
So there's a lot of different things

70
00:03:15,274 --> 00:03:16,965
you can do here.

71
00:03:16,965 --> 00:03:19,874
So, as an example, one of the things that

72
00:03:19,881 --> 00:03:22,106
we want to look at is the,

73
00:03:22,111 --> 00:03:24,398
how the list is processed

74
00:03:24,398 --> 00:03:26,240
so that you can order these.

75
00:03:26,240 --> 00:03:28,813
It's, it's kind of like an ACL.

76
00:03:28,815 --> 00:03:31,496
It goes from top down and you can move

77
00:03:31,495 --> 00:03:33,992
things up higher for processing.

78
00:03:33,988 --> 00:03:37,137
And you can move them down

79
00:03:37,130 --> 00:03:39,585
based on your filter selection.

80
00:03:39,585 --> 00:03:41,644
Other things you can do is

81
00:03:41,645 --> 00:03:44,219
you can create new filters.

82
00:03:44,228 --> 00:03:46,489
You can edit pre-existing.

83
00:03:46,489 --> 00:03:48,305
You can enable and disable.

84
00:03:48,305 --> 00:03:50,807
And you can delete them completely.

85
00:03:50,807 --> 00:03:53,768
So, these are just some of the different

86
00:03:53,768 --> 00:03:55,413
things that you can do within

87
00:03:55,421 --> 00:03:57,958
the Wireshark coloring rules.

88
00:03:57,971 --> 00:04:00,915
What's nice about them is that you can

89
00:04:00,930 --> 00:04:05,897
import things that are online.

90
00:04:05,904 --> 00:04:07,790
Some of them are already pre-configured

91
00:04:07,800 --> 00:04:10,341
on wireshark.org.

92
00:04:10,327 --> 00:04:12,327
So if you go up on the website,

93
00:04:12,375 --> 00:04:17,013
you can find specifically that there are,

94
00:04:17,013 --> 00:04:20,341
there are ones that are already pre-configured,

95
00:04:20,341 --> 00:04:24,046
specific settings that you may already

96
00:04:24,046 --> 00:04:27,146
want to see and you can import them here 

97
00:04:27,146 --> 00:04:28,399
so that you can use them.

98
00:04:28,399 --> 00:04:31,899
You can also export ones that you've built,

99
00:04:31,899 --> 00:04:33,780
as well, and give them to others.

100
00:04:33,780 --> 00:04:40,638
So with temporary, it's quick and easy.

101
00:04:40,638 --> 00:04:42,638
It's accessed from the toolbar menu.

102
00:04:42,638 --> 00:04:45,682
Wireshark coloring rules dialog box or the

103
00:04:45,688 --> 00:04:47,792
contect menu within the capture window.

104
00:04:47,790 --> 00:04:51,618
They'll be, is removed as soon as

105
00:04:51,626 --> 00:04:52,754
you load another profile.

106
00:04:52,746 --> 00:04:55,640
So, the thing with temporary is it's exactly 

107
00:04:55,640 --> 00:04:58,272
that you go in, you set up, let's say,

108
00:04:58,276 --> 00:05:00,829
you wanted a file of conversation very quickly,

109
00:05:00,829 --> 00:05:04,089
you colorize it temporarily, you do your filtering,

110
00:05:04,102 --> 00:05:06,102
there it is and you're done.

111
00:05:06,115 --> 00:05:10,065
With permanent, it's going to be saved

112
00:05:10,065 --> 00:05:11,382
to the profile for later use.

113
00:05:11,382 --> 00:05:13,753
So this hearkens to what we're talking about,

114
00:05:13,759 --> 00:05:16,312
about working quickly and efficiently.

115
00:05:16,307 --> 00:05:19,420
There may be a profile you want to set up or

116
00:05:19,427 --> 00:05:20,722
you can set up some more permanent

117
00:05:20,722 --> 00:05:21,872
coloring rules.

118
00:05:21,872 --> 00:05:24,459
You configure them how you've always

119
00:05:24,459 --> 00:05:26,236
want to see them within the profile.

120
00:05:26,244 --> 00:05:28,881
And you save them for future use.

121
00:05:28,906 --> 00:05:34,349
As you can see here, you can name them.

122
00:05:34,349 --> 00:05:36,910
Set up regular expressions,

123
00:05:36,917 --> 00:05:39,069
specifically on what you want to filter.

124
00:05:39,083 --> 00:05:42,203
Set up your colors, so you can go to

125
00:05:42,203 --> 00:05:43,747
foreground and background colors.

126
00:05:43,747 --> 00:05:45,705
Essentially, the background will be

127
00:05:45,705 --> 00:05:47,121
the highlight color in the back.

128
00:05:47,121 --> 00:05:48,900
And the foreground color will be

129
00:05:48,900 --> 00:05:50,805
specifically the wording that you see.

130
00:05:50,805 --> 00:05:52,764
And you can quickly disable

131
00:05:52,764 --> 00:05:54,227
in here if you need to.

132
00:05:54,227 --> 00:06:01,139


133
00:06:01,139 --> 00:06:03,139