Hi, I want to know what the "DATA" protocol under "Statistics> Protocol Hierarchy> Frame> Ethernet> IPv4> TCP > DATA" means. I'm analizing several captures but I don´t have any idea what this DATA means. Best regards and thank for the help.
asked 12 Jan '12, 12:15  DavOz edited 12 Jan '12, 12:40 |
One Answer:
"data" just means that some dissector (say TCP) didn't know how to dissect a payload (e.g. couldn't dispatch to a dissector for the payload) and so chose to just display the payload bytes as "data". answered 12 Jan '12, 12:46  Bill Meier ♦♦ showing 5 of 6 show 1 more comments |
Thanks,
Just to be really clear, this means that Wireshark couldnt detect which TCP protocol is this Payload and just display ai as Data? Is there any statistic or way to find who is generating this DATA?
(Note: I've converted your answer to a comment per the way this site works. Please see the FAQ).
You certainly can use 'data' as a display filter to find frames showing 'data'.
You would need to look in detail at the relevant frames, determine the source machine, determine what on that machine is sending the frames, etc, etc). (I'm leaving out the details).
Note that it may be perfectly normal to see Wireshark decode something as 'data'.
For example, if I write a client/server application which sends data over TCP with my own format (i.e., using my own protocol) then obviously Wireshark wouldn't be able to decode the data (unless I wrote a dissector for that protocol).
Also: there are certainly many protocols which Wireshark doesn't know how to dissect. New & updated protocol dissectors are being added all the time.
Thank you Bill, I really appreciate your help. Can you tell me how this filter could be used? I'm just an Wireshark amateur.
You can find instructions in the Wireshark User's Guide. See the section on filters.
Basically, in this case it boils down to entering
datain the filter toolbar text entry field and then clickingapply.Wireshark will then show only frames containing a 'data' display.
Thank you again... Really thank you...