File Sets in Wireshark are a way to discover, filter, and process traffic. They help you to better organize your captured data and analyze the information for a specific type of file or protocol. This is an indispensable tool for fast and efficient analysis.

Wireshark’s File Sets are based on Common Information Model (CIM) concepts, so they are easy to use with little or no research required. You can specify filter criteria quickly in the GUI within minutes of downloading Wireshark. Once you have gathered your data packets on each file set, Wireshark gives you additional ways to analyze them and extract valuable information from them without having to spend hours looking over files one by one (which often leads to an inefficient search).

Creating File Sets in Wireshark:

• A file set is a group of files with the same name. These groups can be used to create filters that you can use to search for information. To create a file set, you will need to capture your traffic using Wireshark’s capture options, then save the packets recorded in each file as a CSV file.
• To do this, you only need three tools: Wireshark, the browser used for your session, and any text editing software (such as Notepad++). The first step is to configure Wireshark and open your browser so you can browse the page. Next, you must open the CSV file that you want to use with Wireshark. For each packet, enter the packet number in the browser window and click on ‘Save Page As’. 
• The browser will save each packet in a separate text file. This can be a tedious process and if you have already saved these packets, they may not quite match any more. If this occurs, double-click on that file to open it in Wireshark and update it there.
• After saving all of your packets as a CSV file, open them with Wireshark by clicking on Capture, and then start a new capture. After ten seconds or so, the log will be created with one new entry for each packet (the first one being #0). Move on to the next step.
• Once you have finished your packet captures, select File | Export Packets | Save as CSV to save these parsed packets as a CSV file. Usually, this file will be named something like “Wireshark capture” where “Wireshark capture” is the name of the file that you saved. If it is not a . CSV file, then open it in any spreadsheet or text editor. A quick way to open it in Excel or OpenOffice is by right-clicking on it and selecting ‘open with’ from the dropdown menu.

Detect Files of a File Set: 

• When a file set is captured, the special Wireshark dissector for file sets can dump all the files in the set. The files are dumped as separate packets, and if they share a common filename prefix, that prefix is displayed to make them easier to identify.
• If you’ve ever had to troubleshoot an application or system where you’re not sure what protocol is in use, Wireshark has your back. It can detect when specific protocol loads and automatically dissects it for you so that you can see its details without any additional configuration.
• The core functionality of Wireshark lies in its high-performance display filter system. Filters are stored as regular text files containing DTD-like syntax; they are easy to read, easy to write (with sufficient knowledge about DTDs), and maintainable when extended. In contrast to many other packet analyzers, the display filter file specification is an XML schema, making it modular and easy to extend. Wireshark 2.0 offers a full XML editor that supports source editing and lives syntax highlighting. Text-based filters can also be created using a text editor or GUI IDE like Eclipse, VS 2005 or NetBeans, or CVS.
• Filters are applied on packet captures and on packets being sent to/received from TCP sockets (as well as UDP sockets). Filters typically examine network traffic, interpret the exchanged data and produce an interpretation of the original data in a format understandable by humans (usually color-coded).
• You can create filters for the most common Wireshark features by clicking on a packet, selecting menu items or pressing buttons and waiting for packets to be filtered. By default, the resulting filters are stored in a .pcapng file, however, the user can choose to change this with a preference.
• Protocols can be examined by specifying the protocol in the Preferences dialog box of Wireshark. Alternatively, packets with a specific protocol number are filtered (for example, TCP or UDP). The protocol is specified by a hexadecimal value, which can be found in the protocol column of ip-to-hex.net.

Important Points:

• You can save a file set for any protocol, but if you are creating a file set for HTTP traffic, then it is not wise to also open your mail program and save it as a CSV file that you will use for HTTP. It is not recommended as these packets will be different in size and might create unintended results when searching your data.
• If you have access to the system that captured data packets, or if the same machine capturing the packets runs Wireshark on two different interfaces (one interface on eth0/eth1 and another on lo/lo) then you may need to save both log files separately (one for each interface). This helps avoid naming collisions.

Countermeasures:

• If you know that the same machine is capturing traffic from multiple interfaces, it is good practice to name your files according to which interface the packets are being captured.
• If you plan on redirecting traffic from a network, it might be good to keep the file set for each interface separate and name according to the network segment. That way, you will be able to distinguish between segments even if they are using the same port. Once you have saved your packets as a CSV file, open them with Wireshark by clicking on the Capture menu and then start a new capture. After ten seconds or so, the log will be created with one new entry for each packet (the first one being #0). Move on to the next step.
• Once you have finished your packet captures, select File | Export Packets | Save as CSV to save these parsed packets as a CSV file. Usually, this file will be named something like “Wireshark capture” where “Wireshark capture” is the name of the file that you saved. If it is not a .CSV file, then open it in any spreadsheet or text editor.

Conclusion: 

• File Set is an extension of the idea of Protocol Hierarchy that helps to organize your captured data in a very clear and easy-to-read way. File Sets are easy to create and use, and once you have created them, you can easily analyze and manipulate captured data packets.
• The most important aspect of File Sets is that it simplifies the analysis by allowing you to look at related protocols or file types together. You can use them to see a summary of all HTTP packets captured, for example. They also make it easier for you to find specific protocols or files because Wireshark provides additional search options that allow you to find only the specific File Set members.