How To Read Color Coding In Wireshark?

Reading Time: 3 minutes
How To Read Color Coding In Wireshark?

In my previous blog, I explained Wireshark, Its installation, and how to use it. Now we’ll go a bit more deep into Wireshark and see how to read the captured packets. So Wireshark tries to help you identify packet types by applying common-sense color coding.

Color in WiresharkPacket Type
Light purpleTCP
Light blueUDP
BlackPackets with errors
Light greenHTTP traffic
Light yellowWindows-specific traffic, including Server Message Blocks (SMB) and NetBIOS
Dark yellowRouting
Dark grayTCP SYN, FIN and ACK traffic

The default coloring scheme is shown below figure. You can view this by going to View >> Coloring Rules.

How To Read Color Coding In Wireshark?

We can even change the defaults or apply a custom rule. If you don’t want any coloring at all, go to View, then click Colorize Packet List. It’s a toggle, so if you want the coloring back, simply go back and click Colorize Packet List again. It’s possible, even, to colorize specific conversations between computers.

How To Read Color Coding In Wireshark?

Wireshark I/O Statistics

In Wireshark, we are not limited to just interpreting packets by colors. It is also possible to view the input/output statistics of an entire packet capture. For this in Wireshark, just go to statistics >> I/O graph, and there we can see a graph like shown below:

How To Read Color Coding In Wireshark?

The above graph is showing typical traffic generated by a home office. The spikes in the graph are bursts of traffic that were caused by generating a Distributed Denial of Service (DDoS) attack using a few Linux systems. In this case, three major traffic bursts were generated. Many times, cybersecurity pros use Wireshark as a quick and dirty way to identify traffic bursts during attacks. It’s also possible to capture the amount of traffic generated between one system and another. If you go to Statistics and then select Conversations, you will see a summary of conversations between endpoints, as shown below:

In some cases, it is even possible to use Wireshark to identify the geographic location of the source and destination traffic. If you click on the Map button at the bottom of the screen (shown in Figure 9 above), Wireshark will show you a map, providing its best guess of the location of the IP addresses you’ve identified.

We know that IPv4 addresses can be easily spoofed, you can’t rely completely on this geographical information. But it can be fairly accurate.

For the Wireshark introduction, you can read my blog on Wireshark installation and how to use it here.

Written by 

Shubham Saini is a DevOps Engineer who loves to play with DevOps tools, Security methods and is also interested in Ethical Hacking & Cyber Security. He is a gamer also.