As most of my readers, students, and clients know, I absolutely love Wireshark. I deeply am infatuated with Wireshark’s Profiles, more properly called configuration profiles. So much so that many years ago now, I set up the first Wireshark Profiles Repository. 100’s of thousands of downloads have resulted, and I hope I have helped the community to improve and extend their Wireshark Skills as well as shorten their troubleshooting journeys.
That said, with version 4.3.0 and later, Wireshark has introduced a funky and cool new feature, that allows you to set up Wireshark to “automatically” switch configuration profiles based on a particular display filter matching, and therefore triggering the switch. I put automatically in quotes because it really isn’t automatic per se. It is triggered by matching an argument in the display filter configuration for that profile.
Let’s give an example: say you open or perform a capture where VLAN’s exist, and you want to “automatically” switch to your VLAN profile. Here is how you accomplish this:
First, open Wireshark, then click on Edit> Configuration Profiles
The following pop up will appear:
Now yours might look a little different as to what profiles you have. Note in mine, there is a VLAN profile, and note the Auto Switch filter column.
Next, select the VLAN profile, it will turn blue background:
Now double click to the right of the word Personal, in that Auto Switch Filter column. You will get a cursor:
In that display filter box, type “vlan”. The background, as with all filters will turn green if the syntax is correct and understood by Wireshark:
Now click OK.
Now if we open a capture that has VLAN traffic in it, wireshark will switch to the VLAN profile!
Here is the result:
I start with Wireshark open at the home screen in my Better Default profile:
Then I select the VLAN_VTP.pcang file to open, and poof, the file opens and I am in my VLAN profile:
Pretty cool.
You will note that there is a setting called the Auto switch packet limit. This is the number of packets to check for automatic profile switching. Setting this to zero disables automatic profile switching.
If this triggering perfect? Well, at the time of this writing, no.
As one tends to switch from one profile to the next during the troubleshooting process, this stops the triggering check. So if you close a file, and then open another, the trigger may not work as you expect, or not work at all.
Also, choosing the correct filter trigger is extremely important. I chose a simple one above. But in other cases, this may be more difficult. Let us know what triggers you use. After I play with this feature some more, I will probably create a list of great display filter triggers for various profiles and publish it. Look for that soon.
Comments are welcomed below from registered users. You can also leave comments at our Discord server.
If you would like to see more content and articles like this, please support us by clicking the patron link where you will receive free bonus access to courses and more, or simply buying us a cup of coffee!