Custom Decode Options
Packet Viewer supports customizing protocol decoding through both global configuration and profile-specific settings. These configurations allow you to control how different protocols are interpreted and displayed.
Global
Global configurations in Packet Viewer are stored in two different locations within the Docker container:
/home/pv/.config/wireshark/
└── decode_as_entries
/usr/cloudshark/share/wireshark/
├── colorfilters
└── preferences
The decode rules in /home/pv/.config/wireshark are used as defaults when no
profile is specified or when the active profile doesn’t include specific decode
rules. If a profile contains a decode_as_entries file, the profile’s version
will take precedence over the global configuration.
The color filters and preferences in /usr/cloudshark/share/wireshark provide
system-wide defaults for these settings.
Profile-Based
Packet Viewer also supports loading Wireshark v4.2 compatible profiles for more
targeted configuration control. The --profiles-dir option instructs Packet
Viewer where to load profiles from. This defaults to /data/profiles inside
the Docker image.
Profiles must follow a specific format and are managed at the container level.
A profile is a directory containing a single directory named wireshark which
holds the configuration files. For example:
/data/profiles/
├── sample/
│ └── wireshark/
│ ├── preferences
│ ├── colorfilters
│ └── decode_as_entries
└── wifi/
└── wireshark/
├── preferences
└── decode_as_entries
When using the React component, the profile prop takes the string name of the requested profile.
Deployment
Configuration files can be added to the Docker container either by building a custom image or by mounting local directories as volumes at runtime.
Custom Image
You can create a custom Dockerfile that adds your configuration files to the
appropriate locations:
FROM packet-viewer:v1.7.0
# Copy decode rules
COPY config/decode_as_entries /home/pv/.config/wireshark/
# Copy global preferences and color filters
COPY config/preferences /usr/cloudshark/share/wireshark/
COPY config/colorfilters /usr/cloudshark/share/wireshark/
# Copy profiles
COPY profiles/ /data/profiles/
# Set the entrypoint to packet-viewer
ENTRYPOINT ["/pv-service", "--sharkd", "/usr/cloudshark/bin/sharkd", "--config-dir", "/config", "--captures-dir", "/data/captures", "--profiles-dir", "/data/profiles"]
Volume Mounts
Alternatively, you can mount your configuration directories when running the container:
docker run --rm -p 443:443 \
-v /path/to/profiles:/data/profiles \
-v /path/to/decode_rules:/home/pv/.config/wireshark \
-v /path/to/wireshark_config:/usr/cloudshark/share/wireshark \
packet-viewer:v1.7.0
This approach allows you to modify configurations without rebuilding the container.
Configuration Files
The following configuration options can be set either globally or within individual profile directories.
Preferences
The preferences file contains general Wireshark preferences that control how
packets are decoded and displayed.
Example preferences:
# TCP protocol preferences
tcp.check_checksum: TRUE
tcp.desegment_tcp_streams: TRUE
Color Rules
The colorfilters file defines rules for colorizing packets in the packet
list based on display filter expressions. Each rule consists of a name, filter
string, and foreground/background colors. This helps highlight specific types
of traffic or conditions.
Format: @<filter name>@<filter string>@[<bg RGB(16-bit)>][<fg RGB(16-bit)>]
Example color filters:
@Bad TCP@tcp.analysis.flags && !tcp.analysis.window_update@[0,0,0][255,64,64]
@HSRP State Change@hsrp.state != 8 && hsrp.state != 16@[0,0,0][255,243,143]
@DNS@dns@[0,0,0][189,183,107]
@ICMP@icmp or icmpv6@[0,0,0][144,238,144]
Decode As Rules
The decode_as_entries file specifies how to decode specific types of traffic.
Each line represents a rule that tells Packet Viewer to interpret traffic
matching certain criteria as a specific protocol.
Format: decode_as_entry: <protocol.field>,<value>,(none),<decode_as_protocol>
Common examples:
# Decode UDP port 1234 as RTP
decode_as_entry: udp.port,1234,(none),RTP
# Decode TCP port 5060 as SIP
decode_as_entry: tcp.port,5060,(none),SIP
# Decode TCP port 8080 as HTTP
decode_as_entry: tcp.port,8080,(none),HTTP
You can create decode rules for various protocol selectors including:
- Port numbers (tcp.port, udp.port)
- Ethertype values (ethertype)
- Protocol-specific fields
