" Wireshark Color Rules. "
In the main interface of Wireshark, the packets will display various colors, which represent different meanings. These colors are controlled by color rules.
A proper understanding of these colors is of great help in analyzing packets.
01
—
set up
The color rule has two entries, one is in the toolbar above the message, as shown in the figure:
That brightly colored icon is the entrance to the color rules.
The other is the view-->coloring rules menu.
Click to see all the color rule settings:
It can be roughly seen that the black background represents various errors in the message, the red background represents various abnormal situations, and other colors represent normal conditions.
02
—
rule
This section describes each default item of the color rule:
Bad TCP:tcp.analysis.flags && !tcp.analysis.window_update
That is, TCP parsing errors, usually retransmission, out-of-order, packet loss, and repeated responses are all within the scope of this rule.
HSRP State Change:hsrp.state != 8 && hsrp.state != 16
HSRP is Hot Standby Router Protocol (Hot Standby Router Protocol), this rule indicates that the state is not active and standby.
Spanning Tree Topology Change:stp.type == 0x80
The status flag of the spanning tree protocol is 0x80, and the topology of the spanning tree has changed.
OSPF State Change:ospf.msg != 1
The msg type of OSPF (Open Shortest Path First, open shortest path first protocol) is not hello.
ICMP errors:icmp.type eq 3 || icmp.type eq 4 || icmp.type eq 5 || icmp.type eq 11 || icmpv6.type eq 1 || icmpv6.type eq 2 || icmpv6.type eq 3 || icmpv6.type eq 4
The ICMP protocol is wrong, and the value of the type field of the protocol is wrong.
ARP:arp
That is, the ARP protocol
ICMP:icmp || icmpv6
icmp protocol
TCP RST:tcp.flags.reset eq 1
The TCP stream is RESET.
SCTP ABORT:sctp.chunk_type eq ABORT
The chunk_type of the streaming control protocol is ABORT (6).
TTL low or unexpected:( ! ip.dst == 224.0.0.0/4 && ip.ttl < 5 && !pim) || (ip.dst == 224.0.0.0/24 && ip.dst != 224.0.0.251 && ip.ttl != 1 && !(vrrp || carp))
TTL exception.
Checksum Errors:eth.fcs_bad==1 || ip.checksum_bad==1 || tcp.checksum_bad==1 || udp.checksum_bad==1 || sctp.checksum_bad==1 || mstp.checksum_bad==1 || cdp.checksum_bad==1 || edp.checksum_bad==1 || wlan.fcs_bad==1
The checksum of various protocols in the conditions is abnormal, and some settings of the network card when capturing packets on the PC often cause Wireshark to display this error.
Server Message Block class protocol.SMB:smb || nbss || nbns || nbipx || ipxsap || netbios
HTTP:http || tcp.port == 80 || http2
HTTP protocol, this is a very simple identification method.
IPX:ipx || spx
Internet packet switching (Internet work Packet Exchange ) class protocol.
That is, DCE/RPC, Distributed Computing Environment / Remote Procedure Calls (Distributed Computing Environment / Remote Procedure Calls) protocol.DCERPC:dcerpc
Routing:hsrp || eigrp || ospf || bgp || cdp || vrrp || carp || gvrp || igmp || ismp
routing protocol.
TCP SYN/FIN:tcp.flags & 0x02 || tcp.flags.fin == 1
Initiation and closing of TCP connections.
TCP: tcp
TCP protocol.
UDP:udp
UDP protocol.
Broadcast:eth[0] & 1
broadcast data.
There are some protocols that are less concerned in the current Internet traffic, but they are very commonly used in the basic network. Therefore, although they are retained in the coloring rules, they are unfamiliar. Of course, for the restoration of the protocol, according to the standard document Analysis can be used to identify and extract valuable content.
If you need to communicate, you can contact me.
Long press to follow.