Networking/Computing Tips/Tricks

Rate this content:
5 of 5 - 2 votes
Thank you for rating this article.

Here is a quick and clever technique in Wireshark.

Let's say you want to present, testify, or teach about a packet capture in Wireshark, but you want to redact information that is not important, perhaps hiding an error that was made, or some information that is private, or some other reason. 

Redaction is often done with black ink or opaque colored ink markers on documents sometimes to the point of making the document unreadable.redaction

In Wireshark there is a capability to 'mark' packets by selecting a packet and then using right click or simply hitting CTRL-M on the keyboard.

Now when you do this marking, Wireshark is set to change the status of the packet to "marked", and it changes the colorization of the packet to white foreground, with black background.  You can mark multiple packets and they need not be contiguous in the packet capture.

So what if we modified this process to change the color of the marked packets to black foreground and black background?  Technically you could do this with any color (like blue or red).

The result would be an unreadbale - redacted - view of the packet!

So here is where  and how I suggest you do this.

First, with your packet capture open, select whatever profile you wish to use.  In my example I am using my Better Default profile (you can get our profiles right here):

redaction 1

 Now, I suggest you do not modify this profile, but rather that you create a copy of the profile with redaction.  We want to do this before actually making any changes.

Right click on the Profiles srea in the lower right corner of your Wireshark GUI screen, and select Manage Profiles:

redaction 2

You will get a pop up with the profile selected/highlighted (mine was Better Default).  Select the profile you wish to duplicate, then select the duplocate tool:

redaction 3

You will get an update to this pop up that contains a new profile with the word (copy) added:

redaction 4

You can edit this by simply clicking on the profile name - I selected to call if Better Default with redaction.  Then click OK.  That profile is now the active profile.

redaction 5

Perfect.  Now we need to modify the profile with the redaction.

So lets go to Edit> Preferences and you will get the preferences dialogue pop up.  In that dialogue, select Font and Colors.  You will see the marked packet configuration:

redaction 6

Click on the white box (which is the foreground color selection for the marked packet) to the left.  You will get the color palette selector.  Select black and click OK:

redaction 7

Some sharp-eyed readers may notice that I did not choose black-black (HTML #000000) - because you may also notice that the black foreground that Wireshark uses is not black-black.  So if you want to make sure the data is not visible, actually change both to black-black.

Now click OK on the Preferences dialogue.

You should be back at your Wireshark screen.

Just select the packets you wish to redact, and hit CTRL-M.  These packets will be redacted from your packet list display:

redaction 8

But - keep in mind they are not rected from the packet details.

Now optionally you could do the same thing with the "Ignore" function - the problem there is that this can cause other error in the packet analysis.

Let me know if you find this to be helpful in the comments below.

Comments powered by CComment

Did you learn something?
Did I save you time? 

Buy me a coffeeBuy me a coffee!

Find by Tag

4G Networks 5G Networks 6LoWLAN 6LoWPAN 802.11 802.11ah 802.11ax 802.11ay 802.11az ACL Addressing Analysis Ansible Architecture ARP AToM Backup Bandwidth BGP Biography Bloom's Taxonomy CBRS CellStream Cellular Central Office Cheat Sheet Chrome Cisco Clock Cloud Computer Consulting CPI Data Center Data Networking Decryption DHCPv4 DHCPv6 Display Filter DNS Documentation dumpcap ECMP EIGRP Ethernet Ethics Flipping the Certification Model Follow Me Fragmentation G-MPLS Git GNS3 Google GQUIC Hands-On History Home Network HTTPS ICMP ICMPv6 IEEE 802.11p IEEE 802.15.4 In A Day Internet IOS Classic IoT IPv4 IPv6 IS-IS L2 Switch L2VPN L3VPN LDP Linux LLN Logging LoL M-BGP MAC Macro Microsoft mininet Monitoring Monitor Mode MPLS Multicast Name Resolution Netcat Netflow NetMon netsh Networking Network Science nmap Npcap nslookup Online Learning Online School OpenFlow OSPF OSPFv2 OSPFv3 OSX Parrot PIM Ping Policy POTS POTS to Pipes PPP Profile Profiles Programming Project Management PW3E Python QoS QUIC Requirements RIP Routing RPL RSVP Rural SAS SDN Security Self Certification Service Provider Services Sharepoint Small Business Smartport SONET Speed SSH SSL Subnetting T-Shark TCP TCP/IP Telco Telecom 101 Telecommunications Telephone Telnet Terminal TLS Tools Traceroute Traffic Analysis Traffic Engineering Training Travel Tunnel Ubuntu Utility Video Virtualbox Virtualization VoIP VRF VXLAN Webex Wi-Fi Wi-Fi 6 Wi-Fi 6/6E Windows Wireless Wireless 5G Wireshark Wireshark Tip WLAN ZigBee Zoom

Twitter Feed