This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

help urgent WireShark ump tcp DATA

0

on wireshark in protocol hierarchy statistics under tcp it says DATA and only data and also under udp its says its nearly up to 10 % in packages and bytes what is this and why is it there please help, any help will be much appreciated.

asked 17 Nov '15, 11:25

jakejd's gravatar image

jakejd
6112
accept rate: 0%


One Answer:

0

what is this and why is it there

it is there because the payload of the corresponding tcp or udp packets could not be identified more exactly. Normally, below tcp, you find lines like "hypertext transfer protocol", "Secure Sockets Layer" and alike.

The reasons may be
- disabled dissection of higher protocol hierarchy
- non-standard ports used (if the payload is identified based on port number)
- missing beginning of the communication (if the payload is identified heuristically)
- limitation of frame size during capture

answered 17 Nov '15, 12:07

sindy's gravatar image

sindy
6.0k4851
accept rate: 24%

edited 17 Nov '15, 13:14

sindy so this doesn't mean that anyone is trying to get my mac's idk passwords or something because i searched them all and there all private ip's and thanks for answering.

(17 Nov '15, 12:11) jakejd

Not enough information from your side and not enough knowledge on my side to answer this even if you would provide the capture, but maybe someone else would be able to answer if you publish the capture somewhere and post here a link to it. Please use comments instead of answers, calm down and read the site FAQ.

(17 Nov '15, 12:19) sindy

oh and i tracked an ip under data and it was from Amsterdam why the hell would i get this ip and another is from the organisation cloud fare witch is a dns security thing witch i am not with and like amazon ip's is the source but the destination isn't my ip its private one witch is weird and this private one pops up a lot 192.168.0.6 this is the private ip.

(17 Nov '15, 12:21) jakejd

and it also looks like someone is trying to ddos attack me because there is a lot and i mean a lot of packages coming in like i leave wire shark on for 1 minute and i get like a 1000 packages or is this normal i don't know

(17 Nov '15, 12:28) jakejd
  1. How is your machine connected to the network (ethernet/WiFi/something else)?
  2. Is there something else connected to the same network
  3. do you use "promiscuous mode" for capture?

If 2 and 3 are true, you may be capturing someone else's traffic under circumstances. As for the unknown IP addresses, a lot of web pages are using Amazon's cloud, a lot of web pages are using other web pages as source of advertisement banners and videos...

(17 Nov '15, 12:29) sindy

DDOS at 1000 packets per minute? LOL, guy, that's next to silence. DDOS are hundreds of thousands of packets per second. What other applications are running on your machine?

(17 Nov '15, 12:42) sindy

yh but it might just be a noob trying to do it from his 1 computer which I know won't do anything, but when it's coming in and I don't have a webpage open or anything else open that used the internet that's the only thing I could think of.

(17 Nov '15, 12:51) jakejd

As said - save the capture file, place it to some publicly accessible web (like cloudshark, google drive...), and put here a link. If I can't see anything in it, someone else may.

But if your machine has a public IP address and there is no firewall device between it and the network, then yes, you are most likely under several attacks simultaneously, this is a default state. E.g., for a linux machine with default passwords and no firewall configured, the time to be hacked is not more than 20 minutes from getting connected to the 'net.

(17 Nov '15, 13:00) sindy
showing 5 of 8 show 3 more comments