This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

How the Protocol Hierarchy Statistics works?

Dear all,

Please, anyone could explain how the Protocol Hierarchy Statistics works? Could the dissectors distinguish every single protocol (of course, included in the available list)? If there is any kind of protocol that happens but hidden within other, can wireshark detect? Does the Wireshark dissect based on ports or on the structure of the protocols?

Thanks for your attention. Emilio

phs hierarchy dissector protocol statistics

This question is marked "community wiki".

asked 11 Oct '10, 20:30

emiliohonorio
1●1●1●1
accept rate: 0%

One Answer:

Wireshark tries to recognize protocols in several ways:

By Identifiers. There are well-known identifiers within each protocol layer (Ethertype, IP protocol, TCP port, etc).
By previous traffic. Some protocols prepare the involved systems for new connections, Wireshark snoops on these control packets to add decoding of the dynamic sessions (example: The PORT command on an FTP control channel).
By Heuristics. Some protocols don't have a distinct Identifier, but they do have a recognizable pattern by which they can be Identified.

answered 11 Oct '10, 23:20

SYN-bit ♦♦
17.1k●9●57●245
accept rate: 20%

On a side note: there are settings that can modify the results of the Protocol Hierarchy Statistics, for example the TCP Stream Reassembly. I have traces where the percentage of HTTP goes from 65% with reassembly turned off down to 13% with reassembly turned on. This is in direct relation to the protocol column in the packet list showing either HTTP or TCP, depending on this setting.

Another standard question is, why the percentage at some point doesn't add up to 100% anymore. This is because Wireshark has no "other" percentage for the remaining packets it cannot determine any further.

(12 Oct '10, 03:27) Jasper ♦♦