Ask Your Question
0

Wireshark -Protocol Hierarchy Omitting large amount of subprotocol traffic

asked 2021-11-19 10:18:55 +0000

Nilstorm gravatar image

updated 2021-11-19 10:41:12 +0000

To Summarize, the total of my subprotocol/subvariant packet percentages do not sum up to its header

In this case: TCP= 97.1%, Subvariants/Subprotocols(Http,TLS,'Data')= ~30%. Nothing else

I understand Transport Layer Protocols may not need to add up incrementally, but I understand that subprotocols/subvariants within them should.

That's approximately ~70% of subprotocol behaviour that is not being viewed or captured by Wireshark? This concerns me as I do not run any ecclectic services or protocols on my device, this is a simple browsing/gaming PC.

From my understanding if Wireshark cannot dissect particular protocols or information, it would automatically assign packets to either 'Data' or 'Other' Subvariants under a header. However even this is not present so what may best describe this, or how may I go about figuring it out what this remaining traffic is.

A user on another forum suggested using an analysis tool like sflow

edit retag flag offensive close merge delete

Comments

Is the question about the math not adding up or missing protocols?
Here is an example with a large number of TCP packets reassembled into higher protocol packets.

Chuckc gravatar imageChuckc ( 2021-11-19 13:55:03 +0000 )edit

1 Answer

Sort by ยป oldest newest most voted
0

answered 2021-11-19 15:31:56 +0000

Jim Aragon gravatar image
I understand Transport Layer Protocols may not need to add up incrementally, but I understand that subprotocols/subvariants within them should.

Well, no, because of how Wireshark classifies traffic. If a packet is over port 80 and has data, Wireshark will classify it as HTTP, running on TCP. If the packet is empty--no data--Wireshark will classify it as simply TCP, not as HTTP even though it's over port 80. So empty packets--handshake packets, acknowledgement packets, FIN packets--will all be classified as TCP, and not as the higher level protocol, in this case HTTP. This is true for all protocols that run on TCP.

So the total number of packets for protocols running on TCP will never be the same as the total number of TCP packets in the Protocol Hierarchy. The difference is the number of packets with no data. You can also see this in the Protocol column in the Packet List pane. The Protocol column shows the highest level protocol that Wireshark can identify. In an HTTP stream, you will see that some packets show HTTP in the Protocol column, and some show just TCP. The ones listed as TCP have no data.

edit flag offensive delete link more

Comments

Okay thanks this clarifies it along with Chuckc's example. So if im understanding correctly TCP will account for TCP instances as well as higher protocols that use TCP in providing the % packet count.

But if there is a % packet count for a higher protocol like TLS for example, is this amount calculated in the header's total value or does it stand seperately? e.g TCP 97.1% packets, TLS 20.3% packets.

EDIT: I realize it could be both as a packet can be detected to have several protocols?

Nilstorm gravatar imageNilstorm ( 2021-11-20 05:37:21 +0000 )edit

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Question Tools

1 follower

Stats

Asked: 2021-11-19 10:18:55 +0000

Seen: 433 times

Last updated: Nov 19 '21