One great thing about Wireshark is that you can right click any field in the Packet Details pane and add it as a column which is what we are going to do. But I will only ever see one or the other so I want to put them both in the same column. I want to add the HTTP host name and the HTTPS Server name. Your column layout should look like this now. Right click the column heading again and select Align Left at the top. It looks better, but the port number is right justified and everything else is left. Now to put these in the correct order, click and drag our new Port column and drop it under the Destination column. ![]() Select Dest Port (unresolved) so we see the port number and not the resolved protocol. Double click on the Title field and enter Dest Port, then double click on the Type field and click the drop down. Next, click the + symbol at the bottom left to add a column. ![]() To do that, right click on any column heading and select Column Preferences. I don’t need Wireshark to tell me the protocol, I would rather see the port number being used. Next, let’s add our Destination Port number. Again, not really useful and takes up space we will need later. One more thing you need to do while you are here is to change automatic to seconds, otherwise it will show you the second accuracy to about 8 decimal places. Go to View > Time Display Format > and select UTC Date and Time of Day. ![]() In forensics everything is set to UTC so I use that as my default. Now we need to fix the Time column because the number of seconds since capture is not really helpful. To achieve this, right click on the column heading and either select Remove Column or uncheck the column to hide it. If it is ever needed I can always unhide the column. I hide the source column because I am typically analyzing traffic from a single computer so I already know the source. I remove No., Protocol, and Length columns and hide the Source column. Here is what we are starting from: Wireshark default columns To solve this I removed several columns and added some that I needed. The default columns in Wireshark are great to get you started, but you will find they are lacking useful information rather quickly. If you click on this you can change profiles easily, but for now, leave it set to the new one you just created. You will notice in the bottom right corner of the window, it has changed the profile name to the new one you just created. Highlight Default and then click the right button that shows two small squares. ![]() We want to make a copy of the default profile and name it something meaningful. To get started, click on View > Configuration Profiles Wireshark configuration profile If you choose not to do this, you can skip ahead to the Column Settings section. If you want to setup different profiles, then these are the steps to accomplish that. This is a completely optional step since most people work with a single profile and editing the default is perfectly fine. Since we are going to be making several customizations to the packet list window, we can create a new profile to save these so the default view remains intact. A lot of these settings can be found on his website as well. In this post I will cover some of the most useful settings I discovered and how I setup Wireshark. I recently watched a series of really good videos from Brad Duncan, the man behind, and my initial takeaway was that setting up Wireshark properly will lead to a much better experience and greater success when hunting for malware traffic.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |