Built within Wireshark are coloring rules or filters, which identify or highlight specific traffic. Locate the default coloring rules by going to the menu and choosing View | Coloring Rules, as shown in the following screenshot:
Once you are in the Coloring Rules menu, you can edit, delete, or add your own as needed. In addition to using the default coloring rules, you can create and share rules. An example can be found at https://wiki.wireshark.org/Jay%27s_Coloring_Rules.
Each rule is processed until Wireshark finds a match, according to the order shown in the console. To modify the order of a particular rule, select the rule and then drag it to the desired position.
A check mark on the left-hand side indicates an active rule. To deactivate, deselect the rule you do not want Wireshark to consider.
To edit a rule, complete the following:
- Select and double-click the coloring rule you want to modify.
- You can then edit the name or the filter used, along with the background and foreground colors.
Although Wireshark can colorize packets, in some cases, the coloring can be distracting. You can disable the coloring rules by selecting the icon. The coloring rules icon is generally underneath the Telephony menu, as shown in the following screenshot. However, the position can vary in different versions, platforms, or layouts:
Wireshark summarizes the coloring rules that are in use in the frame metadata. In addition to the information listed pertaining to the time, frame, and protocols, you will see the coloring rules used. To see an example of the coloring rules summary, follow these steps:
- Open the client-fast-retrans.pcap file.
- Go to frame 20 and expand the frame metadata by clicking the arrow to the right of the label for frame 20.
- At the end of the metadata list, you will see the following:
As you can see, the coloring rules provide guidelines on what traffic to home in on during analysis. For the coloring rules to work, they must be enabled; however, they are active in most cases. Next, let's take a look at how Wireshark incorporates the use of the coloring rules within the Intelligent Scrollbar.