 | 1 | initial version |
Wireshark shows a protocol in the Protocol column only if it dissects that protocol in the frame.
For TCP, if there is no protocol payload, there's nothing to dissect, so it shows it as TCP. For such a TCP segment (ACK-only), there might be ways of determining what protocol is appropriate at that particular point in the stream, although, for example, if you have a protocol running atop TCP that can, in turn, transport multiple protocols in the same session, the top-level protocol (which is what shows up in the Protocol column) in frame N might not be the same as the top-level protocol in frame M, for M > N, and, for frame K, where M > K > N, the best you could do would probably be to pick the protocol for from N. Note, furthermore, that the protocol for frame N isn't in frame K, so if you use that protocol as a display filter, it won't - and shouldn't - match frame K.
(This is, obviously, not a problem unique to TCP.)
If a dissector that's asking the TCP dissector to do reassembly were to set the Protocol column even if it indicates to TCP that there's more reassembly to be done, that would handle the "when tcp.len>0 and is TCP segment of reassembled PDU" case.
Copyright Wireshark Foundation, 2017-2023 Content on this site is licensed under a Creative Commons Attribution Share Alike 3.0 license.
