January_30_2023

Wireshark.zip

More column data displayed

There is now...
Column data for Maxmind geolocation
Ingress and egress hardware address
Expert messages

I have restructured the filter buttons and there are several new categories.
You can see the total list in the readme file.

Please join the discussion and provide feedback

Better filter organization and added Interface column

See Readme for the list of filters and column information

Experimenting with filter groups with dropdowns

Refinements to the columns and filters

Refinements and additions

Refinements to the Default profile and added Certificates profile for reviewing certificates in TLS traffic.

Full Changelog: V1.41...V2022.5.5

A few new changes

Added WINRM filter.
No Icons

#Oct_2021_updates

Latest updates to Wireshark configuration includes a CRL column and some display adjustments so the IP addresses are not resolved to DNS. Color coded TLS 1.0 red so it stands out.

Minor Realase

Added TCP Stream Index column

Wireshark Profile update

Wireshark Profile update

June_6_2021

WireShark_Configuration

This is my personal Wireshark configuration. This aids me in troubleshooting by adding new columns and filter buttons to help identify networking and or machine configuration issues.

Instructions:

Download the configuration ZIP and replace the files is C:\Users<yourusername>\AppData\Roaming\Wireshark

Or you can manually add the columns and filters.

Details:

Additions - Columns

PID frame.comment Process ID network of network traffic (only present if you used an etl trace method on a Windows machine (Vista+) and converted it with etl2pcapng
See: https://github.com/microsoft/Convert-Etl2Pcapng and https://github.com/microsoft/etl2pcapng

⌚Δ (time delta) Type Delta time

ByIF (Bytes In Flight) tcp.analysis.bytes_in_flight

RTT (Round Trip Time) tcp.analysis.bytes_in_flight

SPort (Source Port) tcp.srcport or udp.srcport

DPort (Destination Port) tcp.dstport or udp.dstport

Auth (Authenication) kerberos or ntlmssp or radius or ldap.authentication or imap.request.username or mapi.EcDoConnect.name

Cert (Certificate) tls.handshake.certificates or pkcs12 or x509af or x509ce or x509if or x509sat

User / LDAP assertion / SNI / URI / HTTP / Cert tls.handshake.extensions_server_name or http.request.uri or http.request.line or ldap.assertionValue or radius.User_Name or ntlmssp.auth.username or imap.request.username or mapi.EcDoConnect.name or kerberos.CNameString or x509sat.printableString

HTTP Version Shows HTTP2 (h2) and HTTP1.1

TTL (Time To Live) ip.ttl or ipv6.hlim

Additions - Filter Buttons

HTTPS - tcp.port == 443

TLS Handshake - tls.handshake.type >= 1

Proxy Connects - http.request.method == "CONNECT"

DC Discovery - udp.port == 389 or dns.qry.type == 33

Auth - kerberos or ntlmssp or radius or ldap.authentication or udp.port == 1812 or udp.port == 1813 or udp.port == 1645 or udp.port == 1646 or tcp.port ==88 or udp.port == 88 or imap.request.username or mapi.EcDoConnect.name or kerberos.CNameString or tls.handshake.extensions_server_name == "autologon.microsoftazuread-sso.com" or tls.handshake.extensions_server_name == "adnotifications.windowsazure.com" or tls.handshake.extensions_server_name == "logon.microsoftonline.com"

High/Low TTL - ip.ttl <= 64 or ip.ttl > 128 or ipv6.hlim <= 64 or ipv6.hlim > 128

ReXmit - tcp.analysis.retransmission

DNS - dns or tcp.port == 53 or udp.port == 53

ICMP - icmp or icmpv6

Remove RDP - !(tcp.port == 3389) and !(udp.port == 3389)

TCP Flags - tcp.flags == 0x2 or tcp.flags == 0xc2 or tcp.flags == 0x12 or tcp.flags == 0x52 or tcp.flags == 0x14 or tcp.flags == 0x4

TLS Alerts - (tls.record.content_type == 21) && (tls.record.length < 26)