I am trying to display a complete http conversation sequence but all I am getting are HTTP and TCP frames in the trace. I have tried a number of different iterations of the capture and display options but no luck. Please help!! michael asked 31 Mar '16, 06:57  michael325 |
One Answer:
They are all there. In the Protocol column, Wireshark displays only the highest level protocol present in the frame. Look in the Packet Details pane. HTTP is encapsulated in TCP, which is in IP, which is in Ethernet. All your HTTP frames are also TCP, IP, and Ethernet, and all your TCP frames are also IP and Ethernet. If a packet does not have data, Wireshark identifies it as just TCP, not HTTP, even though it's running over a port recognized as HTTP. answered 31 Mar '16, 08:25  Jim Aragon |
Jim, I suspected that something like your description was the case. My confusion still is that non of the packets show "IP" in the protocol column. Would it not be the highest level protocol in some cases. Same applies to ethernet. Or by "highest" would the order be http, tcp, ip and then eternet?
Sorry to be so obtuse but I am just a rank beginner with networking. My past experience is such things as bsc and SNA. :-)
Could you Provide us thaw capture file at a public accessible place like Dropbox? You can use a tool like tracewrangler to anomyze the trace
In this instance, HTTP is the highest layer, TCP is below that, then IP, then Ethernet. No, IP will never be the highest level. IP is used to transport something. We don't send IP packets if there's nothing to put in them. Same for Ethernet. We don't send an Ethernet frame if we don't have some higher-layer payload to put in it.
Thanks, Jim.. That answers my question. Also makes this clear to me!! michael
If an answer has solved your issue, please accept the answer for the benefit of other users by clicking the checkmark icon next to the answer. Please read the FAQ for more information.