# Wireshark color rules for VoIP analysis
# Network Analysis for VoIP Engineers — Cheesman Press
#
# HOW TO IMPORT:
#   Wireshark > View > Coloring Rules > Import
#   Select this file. Rules are applied top to bottom — first match wins.
#
# FORMAT: @rule_name@filter_expression@[fg_r,fg_g,fg_b][bg_r,bg_g,bg_b]
# Colors are in hex RGB format.

@SIP 4xx Error@sip.Status-Code >= 400 && sip.Status-Code < 500@[0,0,0][65535,26214,26214]
@SIP 5xx/6xx Error@sip.Status-Code >= 500@[65535,65535,65535][52428,0,0]
@SIP 200 OK@sip.Status-Code == 200@[0,0,0][39321,52428,39321]
@SIP 180 Ringing@sip.Status-Code == 180@[0,0,0][52428,52428,26214]
@SIP 100 Trying@sip.Status-Code == 100@[0,0,0][52428,52428,52428]
@SIP INVITE@sip.Method == "INVITE"@[0,0,0][39321,52428,65535]
@SIP BYE@sip.Method == "BYE"@[0,0,0][52428,45875,26214]
@SIP REGISTER@sip.Method == "REGISTER"@[0,0,0][45875,39321,65535]
@SIP REFER@sip.Method == "REFER"@[0,0,0][65535,52428,26214]
@SIP NOTIFY@sip.Method == "NOTIFY"@[0,0,0][52428,65535,52428]
@SIP OPTIONS@sip.Method == "OPTIONS"@[32768,32768,32768][65535,65535,65535]
@SIP Other@sip@[0,0,0][52428,52428,65535]
@DTMF Events (RFC 2833)@rtp.p_type == 101@[0,0,0][65535,52428,0]
@RTP No QoS (not EF)@rtp && ip.dsfield.dscp != 46@[0,0,0][65535,45875,45875]
@RTP@rtp@[32768,32768,32768][39321,45875,52428]
@RTCP@rtcp@[32768,32768,32768][45875,52428,52428]
@T.38 Fax@t38@[0,0,0][52428,39321,65535]
@STUN/ICE@stun@[0,0,0][65535,65535,39321]
@DTLS@dtls@[0,0,0][52428,65535,65535]
@TLS Alert (certificate error)@tls.alert_message@[65535,65535,65535][52428,0,0]
@DNS (with SIP)@dns@[32768,32768,32768][45875,45875,39321]
@CDP@cdp@[0,0,0][52428,52428,39321]
@LLDP@lldp@[0,0,0][45875,52428,39321]
