I am looking at the protocol hierarchy statistics and with TCP, I see 84.83% of TCP packets. But when expand the TCP tree, the protocols under TCP (like Data, SSL, SSH protocol, etc...) do not add up to 84.83%. Can somebody help me understand this? Thanks asked 17 Mar '14, 20:01 character9 |
One Answer:
The difference is due to TCP packets that have no data, known as "pure TCP" or sometimes "naked TCP." These would include the SYN and SYN/ACK packets, ACK packets with no data, and FIN or RESET packets. For example, if a packet has no data, then Wireshark does not consider it to be HTTP even if it uses port 80 and even if it is part of an HTTP session. It is TCP only. This is how Wireshark treats all higher-level protocols that run on TCP. To see these packets, apply a display filter of "tcp.len==0". answered 17 Mar '14, 21:42 Jim Aragon |