This is a question more related to the fundamentals of networking rather than wireshark itself. I've been trying to learn networking from some videos on the internet and if I understand correctly each layer of the network model is encapsulated by the layer below it. Why do I see TCP and UDP packets on the network then? Shouldn't they be encapsulated by IP packets? asked 31 Oct '13, 11:20  _delta_ |
One Answer:
Are you looking in the Protocol column in Wireshark's Packet List pane? In this column, Wirehark lists the highest level protocol that it can identify, which is why you see TCP instead of IP. Yes, the TCP and UDP packets are encapsulated in IP, which is in turn encapsulated in Ethernet. If you look in the Packet Details pane, you'll see the entire packet: TCP or UDP, IP, and Ethernet. And if the TCP or UDP packet contains data, you'll see the higher-level protocol, such as HTTP or SMTP, if Wireshark can identify it. answered 31 Oct '13, 11:30  Jim Aragon |
Okay so if I understand correctly, Wireshark sometimes can't identify higher than a certain level like TCP. Why is that?
There may not be a higher level. Some TCP packets are just acknowledgments; they do not contain any data.