This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

protocol hierarchy statistics

0

I am looking at the protocol hierarchy statistics and with TCP, I see 84.83% of TCP packets. But when expand the TCP tree, the protocols under TCP (like Data, SSL, SSH protocol, etc...) do not add up to 84.83%. Can somebody help me understand this? Thanks

asked 17 Mar '14, 20:01

character9's gravatar image

character9
16101012
accept rate: 0%


One Answer:

0

The difference is due to TCP packets that have no data, known as "pure TCP" or sometimes "naked TCP." These would include the SYN and SYN/ACK packets, ACK packets with no data, and FIN or RESET packets.

For example, if a packet has no data, then Wireshark does not consider it to be HTTP even if it uses port 80 and even if it is part of an HTTP session. It is TCP only. This is how Wireshark treats all higher-level protocols that run on TCP.

To see these packets, apply a display filter of "tcp.len==0".

answered 17 Mar '14, 21:42

Jim%20Aragon's gravatar image

Jim Aragon
7.2k733118
accept rate: 24%