This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Why do I see TCP packets on the network?

0

This is a question more related to the fundamentals of networking rather than wireshark itself. I've been trying to learn networking from some videos on the internet and if I understand correctly each layer of the network model is encapsulated by the layer below it. Why do I see TCP and UDP packets on the network then? Shouldn't they be encapsulated by IP packets?

asked 31 Oct '13, 11:20

_delta_'s gravatar image

_delta_
1111
accept rate: 0%


One Answer:

1

Are you looking in the Protocol column in Wireshark's Packet List pane? In this column, Wirehark lists the highest level protocol that it can identify, which is why you see TCP instead of IP. Yes, the TCP and UDP packets are encapsulated in IP, which is in turn encapsulated in Ethernet.

If you look in the Packet Details pane, you'll see the entire packet: TCP or UDP, IP, and Ethernet. And if the TCP or UDP packet contains data, you'll see the higher-level protocol, such as HTTP or SMTP, if Wireshark can identify it.

answered 31 Oct '13, 11:30

Jim%20Aragon's gravatar image

Jim Aragon
7.2k733118
accept rate: 24%

Okay so if I understand correctly, Wireshark sometimes can't identify higher than a certain level like TCP. Why is that?

(31 Oct '13, 11:52) _delta_

There may not be a higher level. Some TCP packets are just acknowledgments; they do not contain any data.

(31 Oct '13, 13:13) Jim Aragon