IPv4 Statistics -> IP Protocol Types

asked 2019-07-06 03:14:36 +0000

Chuckc gravatar image

updated 2019-07-06 03:21:17 +0000

Statistics -> Protocol Hierarchy does a good job breaking out IPv4 protocol types:

 - Internet Protocol Version 4:  - 246
 - User Datagram Protocol:  - 166
 - Transmission Control Protocol:  - 14
 - Internet Group Management Protocol:  - 4
 - Internet Control Message Protocol:  - 62

Statistics -> IPv4 Statistics -> IP Protocol Types seems to only display UDP and TCP then lumps everything else into NONE.

IPv4 Statistics/IP Protocol Types:
Topic / Item       Count         Average       Min val       Max val       Rate (ms)     Percent       Burst rate    Burst start  
IP Protocol Types  246       <snip>   0.0075        100%          0.2200        32.631       
 UDP               166             <snip>   0.0051        67.48%        0.2200        32.631       
 TCP               14               <snip>   0.0004        5.69%         0.0700        7.913        
 NONE              66              <snip>  0.0020        26.83%        0.0600        10.330       

Is this by design? Need to download the code and start grepping around but thought I would ask here also.

thanks chuckc


Version 3.0.2 
Copyright 1998-2019 Gerald Combs <[email protected]> and contributors. License GPLv2+: GNU GPL version 2 or later <> This is free software; see the source for copying conditions. There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. 
Compiled (32-bit) with Qt 5.12.3, with WinPcap SDK (WpdPack) 4.1.2, with GLib 2.52.2, with zlib 1.2.11, with SMI 0.4.8, with c-ares 1.14.0, with Lua 5.2.4, with GnuTLS 3.6.3 and PKCS #11 support, with Gcrypt 1.8.3, with MIT Kerberos, with MaxMind DB resolver, with nghttp2 1.14.0, with LZ4, with Snappy, with libxml2 2.9.9, with QtMultimedia, with AirPcap, with SBC, with SpanDSP, with bcg729. 
Running on 32-bit Windows 7 Service Pack 1, build 7601, with Intel(R) Core(TM)2 Duo CPU P7570 @ 2.26GHz, with 3032 MB of physical memory, with locale English_United States.1252, with Npcap version 0.995, based on libpcap version 1.9.1-PRE-GIT, with GnuTLS 3.6.3, with Gcrypt 1.8.3, without AirPcap, binary plugins supported (14 loaded). Built using Microsoft Visual Studio 2017 (VC++ 14.16, build 27030).
1 Answer

answered 2019-07-18 13:14:25 +0000

Chuckc gravatar image

Guess I'll finish the book before asking more questions. :-)

Wireshark Network Analysis The Official Wireshark Certified Network Analyst Study Guide 2nd Edition (Version 2.1c)

Page 68 - Footnote 39 "... It doesn't give us a breakdown of all the traffic that can run over IP (such as ICMP) - it just lists UDP, TCP and then everything else is just "None". If you want to know what is running over IP, view the Protocol Hierarchy statistics instead."

Personally, I think an enhancement bug should be opened for this behavior. First off, if all other protocol types besides TCP and UDP are going to be grouped together, then why not group them as "OTHER"? Grouping them as "NONE" makes no sense to me.

But if the Protocol Hierarchy Statistics (PHS) can show other protocol types in the hierarchy, then there's no reason why the IPv4 Statistics -> IP Protocol Types dialog couldn't show them as well.

And there should be some consistency between PHS and the IPv4 Statistics -> IP Protocol Types dialog. For example, if you have an ICMP Destination Unreachable carrying a TCP Header, the PHS only shows IP/ICMP; yet the IPv4 Statistics -> IP Protocol Types dialog shows only TCP. PHS should show IP/ICMP/IP/TCP and the IPv4 Statistics -> IP Protocol Types dialog should show both IP/ICMP and IP/TCP.

cmaynard gravatar imagecmaynard ( 2021-06-27 14:38:43 +0000 )edit

I never make it down that far in the Statistics menu. Looking at it now, seems that this was intended as an example plugin. Maybe it should be disabled by default. Similar to pluginifdemo

Chuckc gravatar imageChuckc ( 2021-06-27 18:20:53 +0000 )edit

