This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Protocol Hierarchy Meaning

0

Hi,

I want to know what the "DATA" protocol under "Statistics> Protocol Hierarchy> Frame> Ethernet> IPv4> TCP > DATA" means.

I'm analizing several captures but I don´t have any idea what this DATA means.

Best regards and thank for the help.

alt text

asked 12 Jan '12, 12:15

DavOz's gravatar image

DavOz
1113
accept rate: 0%

edited 12 Jan '12, 12:40


One Answer:

1

"data" just means that some dissector (say TCP) didn't know how to dissect a payload (e.g. couldn't dispatch to a dissector for the payload) and so chose to just display the payload bytes as "data".

answered 12 Jan '12, 12:46

Bill%20Meier's gravatar image

Bill Meier ♦♦
3.2k1850
accept rate: 17%

Thanks,

Just to be really clear, this means that Wireshark couldnt detect which TCP protocol is this Payload and just display ai as Data? Is there any statistic or way to find who is generating this DATA?

(Note: I've converted your answer to a comment per the way this site works. Please see the FAQ).

(12 Jan '12, 12:59) DavOz

You certainly can use 'data' as a display filter to find frames showing 'data'.

You would need to look in detail at the relevant frames, determine the source machine, determine what on that machine is sending the frames, etc, etc). (I'm leaving out the details).

Note that it may be perfectly normal to see Wireshark decode something as 'data'.

For example, if I write a client/server application which sends data over TCP with my own format (i.e., using my own protocol) then obviously Wireshark wouldn't be able to decode the data (unless I wrote a dissector for that protocol).

(12 Jan '12, 13:12) Bill Meier ♦♦

Also: there are certainly many protocols which Wireshark doesn't know how to dissect. New & updated protocol dissectors are being added all the time.

(12 Jan '12, 13:15) Bill Meier ♦♦

Thank you Bill, I really appreciate your help. Can you tell me how this filter could be used? I'm just an Wireshark amateur.

(12 Jan '12, 13:26) DavOz

You can find instructions in the Wireshark User's Guide. See the section on filters.

Basically, in this case it boils down to entering data in the filter toolbar text entry field and then clicking apply.

Wireshark will then show only frames containing a 'data' display.

(12 Jan '12, 13:44) Bill Meier ♦♦

Thank you again... Really thank you...

(12 Jan '12, 14:08) DavOz
showing 5 of 6 show 1 more comments