This is our old Q&A Site. Please post any new questions and answers at

This is a question more related to the fundamentals of networking rather than wireshark itself. I've been trying to learn networking from some videos on the internet and if I understand correctly each layer of the network model is encapsulated by the layer below it. Why do I see TCP and UDP packets on the network then? Shouldn't they be encapsulated by IP packets?

asked 31 Oct '13, 11:20

_delta_'s gravatar image

accept rate: 0%

Are you looking in the Protocol column in Wireshark's Packet List pane? In this column, Wirehark lists the highest level protocol that it can identify, which is why you see TCP instead of IP. Yes, the TCP and UDP packets are encapsulated in IP, which is in turn encapsulated in Ethernet.

If you look in the Packet Details pane, you'll see the entire packet: TCP or UDP, IP, and Ethernet. And if the TCP or UDP packet contains data, you'll see the higher-level protocol, such as HTTP or SMTP, if Wireshark can identify it.

permanent link

answered 31 Oct '13, 11:30

Jim%20Aragon's gravatar image

Jim Aragon
accept rate: 24%

Okay so if I understand correctly, Wireshark sometimes can't identify higher than a certain level like TCP. Why is that?

(31 Oct '13, 11:52) _delta_

There may not be a higher level. Some TCP packets are just acknowledgments; they do not contain any data.

(31 Oct '13, 13:13) Jim Aragon
Your answer
toggle preview

Follow this question

By Email:

Once you sign in you will be able to subscribe for any updates here



Answers and Comments

Markdown Basics

  • *italic* or _italic_
  • **bold** or __bold__
  • link:[text]( "title")
  • image?![alt text](/path/img.jpg "title")
  • numbered list: 1. Foo 2. Bar
  • to add a line break simply add two spaces to where you would like the new line to be.
  • basic HTML tags are also supported

Question tags:


question asked: 31 Oct '13, 11:20

question was seen: 2,484 times

last updated: 31 Oct '13, 13:13

p​o​w​e​r​e​d by O​S​Q​A