CHANGING THE COLUMN DISPLAY IN WIRESHARK
NOTE: I have an updated version of this information posted on the Palo Alto Networks blog at:
Wireshark is a great tool, but it's default column display doesn't work effectively for the type of analysis I normally do. Most people will change their columns from the default configuration. This guide shows how I change the columns in my Wireshark setup.
The default columns for Wireshark are: Packet number, Time, Source, Destination, Protocol, Length, and Info (as shown below):
Let's change this by editing our preferences ( edit --> Preferences ):
From the Wireshark Preferences menu, select columns:
From there, we're going to remove the first column, which is the "Number" (lists the current packet number you're viewing in the PCAP):
After that, I also remove Protocol and Length columns.
Next, we'll add some new columns, as shown below:
The first new column to add is the source port. You'll want to select Src port (unresolved) so you can see the port number. Otherwise, it'll show whatever server is associated with that port instead of the number.
The default name of any new columns is "New Column", so change the name of that new column.
Once you've changed the name, you can left-click and drag that column to the location you choose. We'll put it after the Source address.
After a few additions and column changes, here's the setup that I use. Notice how the Source and Destination addresses are changed to an "unresolved" field type.
Now let's fix the time. The default format is "Seconds Since Beginning Capture". Let's change it to "Date and Time of Day". Go to: View --> Time Display Format --> Date and Time of Day.
After that, we'll change the precision of the displayed time from automatic to "Seconds", as shown below ( View --> Time Display Format --> select "Seconds: 0"):
Some of the columns are aligned to the right, which we can fix by right-clicking on the column and selecting the proper alignment:
Now we have everything, but I also want to see the http.host name as one of the columns. To do that, let's filter on http.request, so we're only seeing the HTTP requests.
Expand the breakout in the middle section, so you see the Host: line in the HTTP header. Right-click on that, and select "Apply as Column" from the menu.
You'll notice now that the HTTP host from the GET or POST requests is now shown as a column. You might have to widen the column to see the whole name.
This setup for Wireshark is extremely useful when looking at HTTP traffic and figuring out an infection chain. I recommend anyone going through the training exercises use this configuration.
Click here to return to the main page.