This is our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

I am looking at the protocol hierarchy statistics and with TCP, I see 84.83% of TCP packets. But when expand the TCP tree, the protocols under TCP (like Data, SSL, SSH protocol, etc...) do not add up to 84.83%. Can somebody help me understand this? Thanks

asked 17 Mar '14, 20:01

character9's gravatar image

character9
16101012
accept rate: 0%


The difference is due to TCP packets that have no data, known as "pure TCP" or sometimes "naked TCP." These would include the SYN and SYN/ACK packets, ACK packets with no data, and FIN or RESET packets.

For example, if a packet has no data, then Wireshark does not consider it to be HTTP even if it uses port 80 and even if it is part of an HTTP session. It is TCP only. This is how Wireshark treats all higher-level protocols that run on TCP.

To see these packets, apply a display filter of "tcp.len==0".

permanent link

answered 17 Mar '14, 21:42

Jim%20Aragon's gravatar image

Jim Aragon
7.2k733118
accept rate: 24%

Your answer
toggle preview

Follow this question

By Email:

Once you sign in you will be able to subscribe for any updates here

By RSS:

Answers

Answers and Comments

Markdown Basics

  • *italic* or _italic_
  • **bold** or __bold__
  • link:[text](http://url.com/ "title")
  • image?![alt text](/path/img.jpg "title")
  • numbered list: 1. Foo 2. Bar
  • to add a line break simply add two spaces to where you would like the new line to be.
  • basic HTML tags are also supported

Question tags:

×752
×146
×124
×86
×69

question asked: 17 Mar '14, 20:01

question was seen: 3,056 times

last updated: 17 Mar '14, 21:42

p​o​w​e​r​e​d by O​S​Q​A