Decode Options

Packet Viewer supports customizing how protocols are decoded and displayed through Wireshark profile configuration files. These files are placed in a profile’s wireshark/ directory.

Decode As Rules

The decode_as_entries file specifies how to decode specific types of traffic. Each line represents a rule that tells Packet Viewer to interpret traffic matching certain criteria as a specific protocol.

Format: decode_as_entry: <protocol.field>,<value>,(none),<decode_as_protocol>

Examples:

# Decode UDP port 1234 as RTP
decode_as_entry: udp.port,1234,(none),RTP

# Decode TCP port 5060 as SIP
decode_as_entry: tcp.port,5060,(none),SIP

# Decode TCP port 8080 as HTTP
decode_as_entry: tcp.port,8080,(none),HTTP

You can create decode rules for various protocol selectors including:

• Port numbers (tcp.port, udp.port)
• Ethertype values (ethertype)
• Protocol-specific fields

Color Filters

The colorfilters file defines rules for colorizing packets in the packet list based on display filter expressions. Each rule consists of a name, filter string, and foreground/background colors.

Format: @<filter name>@<filter string>@[<bg RGB(16-bit)>][<fg RGB(16-bit)>]

Examples:

@Bad TCP@tcp.analysis.flags && !tcp.analysis.window_update@[0,0,0][255,64,64]
@HSRP State Change@hsrp.state != 8 && hsrp.state != 16@[0,0,0][255,243,143]
@DNS@dns@[0,0,0][189,183,107]
@ICMP@icmp or icmpv6@[0,0,0][144,238,144]

General Preferences

The preferences file contains general Wireshark preferences that control how packets are decoded and displayed. This file covers hundreds of protocol-specific settings.

Example:

# TCP protocol preferences
tcp.check_checksum: TRUE
tcp.desegment_tcp_streams: TRUE

For available preferences, see the Wireshark Preferences documentation. For name resolution preferences specifically, see Name Resolution.