top of page
Writer's pictureLaura Chappell

NEW: Wireshark Auto-Switch Profiles

Wireshark version 4.4.0 just dropped last week and it has a cool new feature in it: auto-switch profiles!


This may change how I use Wireshark to analyze traffic -- just as display filter buttons and packet comments did.


What is an Auto-Switch Profile?


An auto-switch profile is one that Wireshark automatically switches over to when a specific number of packets match a specific display filter applied to a trace file.


For example, suppose I am working on a problem dealing with DNS and HTTPS/TLS communications. When I apply a filter for DNS delays, I can configure Wireshark to automatically switch to my DNS troubleshooting profile when one or more packets match my filter.


This lets me quickly focus on any DNS issues in the trace file.


And when I apply a display filter for large TCP delta times, I can configure Wireshark to autmatically switch to my TCP Time Analysis profile to focus on delays within TCP streams.


Why is this Cool?


This new feature will enable me to split up my profiles to focus more on particular functions and troubleshooting or network forensics methods. I can now let Wireshark guide me to the profile that matches my task at hand.


How do I Create an Auto-Switch Profile?

To create an auto-switch profile, add an Auto Switch Filter value to your existing profile or when you create a new profile. The image below shows some examples.


If I open a new trace file and apply a dns filter, Wireshark automatically switches to my DNS Analysis profile that contains all the colors, buttons, and columns I use to analyze DNS traffic.


When I apply a dhcp filter, Wireshark automatically switches to my DHCP profile so I can focus on that traffic.

wireshark's profile list

In the example above, I've circled a setting that you need to be aware of - the Auto switch packet limit setting. Wireshark won't switch to a profile until that number of packets matches the display filter.


In my example, I want Wireshark to switch to my DNS Analysis profile if there is a single DNS packet in the trace file.


This is one of those features that will likely change how I create and use my profiles from now on. I will make a note to follow up with this in a few months to share how this new feature has affected my processes.


Cheers!



Comments


bottom of page