1 | initial version |
I understand Transport Layer Protocols may not need to add up incrementally, but I understand that subprotocols/subvariants within them should.
Well, no, because of how Wireshark classifies traffic. If a packet is over port 80 and has data, Wireshark will classify it as HTTP, running on TCP. If the packet is empty--no data--Wireshark will classify it as simply TCP, not as HTTP even though it's over port 80. So empty packets--handshake packets, acknowledgement packets, FIN packets--will all be classified as TCP, and not as the higher level protocol, in this case HTTP. This is true for all protocols that run on TCP.
So the total number of packets for protocols running on TCP will never be the same as the total number of TCP packets in the Protocol Hierarchy. The difference is the number of packets with no data. You can also see this in the Protocol column in the Packet List pane. The Protocol column shows the highest level protocol that Wireshark can identify. In an HTTP stream, you will see that some packets show HTTP in the Protocol column, and some show just TCP. The ones listed as TCP have no data.