To do that, let's filter on http.request, so we're only seeing the HTTP requests.Įxpand the breakout in the middle section, so you see the Host: line in the HTTP header. Now we have everything, but I also want to see the http.host name as one of the columns. Some of the columns are aligned to the right, which we can fix by right-clicking on the column and selecting the proper alignment: Go to: View -> Time Display Format -> Date and Time of Day.Īfter that, we'll change the precision of the displayed time from automatic to "Seconds", as shown below ( View -> Time Display Format -> select "Seconds: 0"): Let's change it to "Date and Time of Day". The default format is "Seconds Since Beginning Capture". Notice how the Source and Destination addresses are changed to an "unresolved" field type.
We'll put it after the Source address.Īfter a few additions and column changes, here's the setup that I use. Once you've changed the name, you can left-click and drag that column to the location you choose. The default name of any new columns is "New Column", so change the name of that new column. Otherwise, it'll show whatever server is associated with that port instead of the number. You'll want to select Src port (unresolved) so you can see the port number. The first new column to add is the source port. Next, we'll add some new columns, as shown below: Let's change this by editing our preferences ( edit -> Preferences ):įrom the Wireshark Preferences menu, select columns:įrom there, we're going to remove the first column, which is the "Number" (lists the current packet number you're viewing in the PCAP):Īfter that, I also remove Protocol and Length columns. The default columns for Wireshark are: Packet number, Time, Source, Destination, Protocol, Length, and Info (as shown below): This guide shows how I change the columns in my Wireshark setup. Most people will change their columns from the default configuration. Wireshark is a great tool, but it's default column display doesn't work effectively for the type of analysis I normally do. NOTE: I have an updated version of this information posted on the Palo Alto Networks blog at:
0 kommentar(er)
