Is it possible that wireshark doesn't recognize protocol?

asked 2017-12-11 11:27:48 +0000

Zahra gravatar image

I have some encrypted traffic but, for the same source and destination IPs and ports which are simultaneous, Wireshark assigns different protocol type as shown in picture. what is wrong here? why it confuses protocol type?

PS: The IP addresses which are hidden in the picture are the same IP addresses

Do you mean TCP and SSL as different protocols? If so: SSL is embedded in TCP. When there is TCP payload (tcp.len >0) Wireshark shows SSL. If there is not TCP payload: Wireshark show TCP as protocol.

Uli gravatar imageUli ( 2017-12-11 11:52:13 +0000 )edit

@Uli. Yes TCP, SSL, and SSLv2, SSLv3. Also, it marks the packet as TCP when tcp.len>0 and is TCP segment of reassembled PDU.

Zahra gravatar imageZahra ( 2017-12-11 14:57:47 +0000 )edit

1 Answer

answered 2017-12-12 01:59:33 +0000

Guy Harris gravatar image

Wireshark shows a protocol in the Protocol column only if it dissects that protocol in the frame.

For TCP, if there is no protocol payload, there's nothing to dissect, so it shows it as TCP. For such a TCP segment (ACK-only), there might be ways of determining what protocol is appropriate at that particular point in the stream, although, for example, if you have a protocol running atop TCP that can, in turn, transport multiple protocols in the same session, the top-level protocol (which is what shows up in the Protocol column) in frame N might not be the same as the top-level protocol in frame M, for M > N, and, for frame K, where M > K > N, the best you could do would probably be to pick the protocol for from N. Note, furthermore, that the protocol for frame N isn't in frame K, so if you use that protocol as a display filter, it won't - and shouldn't - match frame K.

(This is, obviously, not a problem unique to TCP.)

If a dissector that's asking the TCP dissector to do reassembly were to set the Protocol column even if it indicates to TCP that there's more reassembly to be done, that would handle the "when tcp.len>0 and is TCP segment of reassembled PDU" case.

