Ask Your Question
0

Feature request: Dynamic Colorization Rules

asked 2024-04-25 08:02:41 +0000

ThePooBurner gravatar image

updated 2024-04-25 23:06:13 +0000

EDIT: Discussion now taking place on Gitlab https://gitlab.com/wireshark/wireshark/-/issues/19802

Background:
So it took me forever to google the correct way to change the "active selected item" coloring rule. Turns out it's in the preferences area under fonts & color. Seems rather obvious now, but that something this basic was so hard to find on google seems like there needs to be something somewhere in the manual about how to do it. That said, seeing where the selected item coloring was, and how it worked when changed, left me disappointed at what I found.

In learning about Display filters I was intrigued by the ability to use field references. Because of the project I'm currently working on for school I am particularly interested in seeing conversations taking place easily and following them quickly. To help with that I created a filter button with "tcp.stream == ${tcp.stream}" as the expression. It works great. With the push of a button the packet list is re-filtered to show just the packets that are a part of the currently selected packet's conversation.

Knowing that the coloring rules use the same criteria as the display filters I immediately wanted to create a rule that did visually the same thing as but button I had just created. I tried to create a coloring rule at the top of my list with the criteria: "tcp.stream == ${tcp.stream}", but unfortunately it didn't do anything. I learned that the coloring rules are applied as a "pre-filter" to all of the packets before they are displayed, so a dynamically referenced field doesn't have anything selected to reference. Even if a packet is selected at the time you hit "ok" in the color rules dialog box, the coloring is applied before focus has been passed back to the packet list, so the dynamic rule still doesn't even "sort of" work.

The Idea:
I'm sure I'm not the only one who thinks it would be awesome to have Dynamic coloring rules that are applied each time you select a packet in the packet list. In my case I think I would be awesome to be able to assign "tcp.stream == ${tcp.stream}" to the "selected item" property so that as I move through the packets the rest of the conversation is instantly highlighted (and stays highlighted as part of the "inactive selected" state).

Even better would be if there was a Dynamic Color Filter bar above the display filter bar (perhaps toggle-able. not everyone would want to see it or use it) where we could put in on the fly a new coloring rule. This would be especially handy on larger pcaps where re-filtering the packet list takes longer than desired.

I can see this being handy for those who like to run without any present color filters. They could define a single filter on the fly to instantly hone in on what they are looking for without ... (more)

edit retag flag offensive close merge delete

Comments

The enhancement request was raised in GitLab as: https://gitlab.com/wireshark/wireshar...

grahamb gravatar imagegrahamb ( 2024-04-25 11:21:32 +0000 )edit

Yeah, I posted it there with a little more refinement after I saw in other questions that gitlab was the proper place to make requests. I meant to come back here and link it myself, but it was 4am so it slipped my mind :)

ThePooBurner gravatar imageThePooBurner ( 2024-04-25 17:08:55 +0000 )edit
add a comment

1 Answer

Sort by » oldest newest most voted
0

answered 2024-04-25 21:45:24 +0000

SYN-bit gravatar image

Have you seen the "Conversaton Coloring" functionality (FKA Temporary Coloring)? It let's you colorize TCP/UDP/IP/Eth conversations with the click of a button or keystroke. It also gives you the option to pick any field+value from the packet details to create a temporary (dynamic?) color. It might not match to 100% of your use-cases, but I think it can come close.

From the Users Guide:

There are two types of coloring rules in Wireshark: temporary rules that are only in effect until you quit the program, and permanent rules that are saved in a preference file so that they are available the next time you run Wireshark.

Temporary rules can be added by selecting a packet and pressing the Ctrl key together with one of the number keys. This will create a coloring rule based on the currently selected conversation. It will try to create a conversation filter based on TCP first, then UDP, then IP and at last Ethernet. Temporary filters can also be created by selecting the Colorize with Filter → Color X menu items when right-clicking in the packet detail pane.

edit flag offensive delete link more

Comments

I did read about those, yes. There is much more elaboration in the discussion happening on gitlab.

ThePooBurner gravatar imageThePooBurner ( 2024-04-25 21:54:02 +0000 )edit
add a comment

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Question Tools

subscribe to rss feed

Stats

Asked: 2024-04-25 08:02:41 +0000

Seen: 98 times

Last updated: Apr 25

Related questions

How to check XHR that sends to get dynamic content on a website?

filtering open ports on wireshark

Finding a gap in length or id

ERSPAN ID - Adding Information to captured packets

Unable to display IEEE1722-1 packet in Wireshark 3.0.3

How can I search within data, specifically in the TCP segment data?

Call analysis capabilities

How to find the make and model of a local router? [closed]

Filter URL By Number Characters

Display filter not showing HTTP packets