This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

how do I determine protocols in a network capture

0

Hi there,

I'm completely new to wireshark and I would like to know the correct way to determine all of the protocols the are used on the network in a specific capture, please can someone help me?

asked 24 Apr '13, 06:23

harry82's gravatar image

harry82
1223
accept rate: 0%


2 Answers:

3

the best way:

Statistics -> Protocol Hierarchy

Regards
Kurt

answered 24 Apr '13, 06:51

Kurt%20Knochner's gravatar image

Kurt Knochner ♦
24.8k1039237
accept rate: 15%

One should add that the Protocol Hierarchy only shows what Wireshark has been able to determine. So if there is a protocol that Wireshark doesn't know or which runs on a port it doesn't recognize, it will not appear in the statistics.

(24 Apr '13, 08:37) Jasper ♦♦

Thank you all for your time, it is most appreciated

H

(24 Apr '13, 10:16) harry82

0

Another way (if you're more command-line oriented) is to use "tshark -T fields -eframe.protocols -nr filename.pcap" and then do some work to sort and unique the output. There's even a simple script in the Wireshark source code distribution (tools/list_protos_in_cap.sh) that does this for you. Basically what it does (after error checking, etc.) is:

# Extract the protocol names.
$TSHARK -T fields -eframe.protocols -nr "$CF" 2>/dev/null | tr ':\r' '\n' \
    | sort -u | tr '\n\r' ' '

(Note that this is using the *NIX utilities 'tr' and 'sort' which probably don't exist on Windows unless you have Cygwin installed.)

answered 24 Apr '13, 07:19

JeffMorriss's gravatar image

JeffMorriss ♦
6.2k572
accept rate: 27%