This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

protocol hierarchy % packet for tcp

0

I am looking at the Protocol Hierarchy for TCP in the Statistics>Protocol Hierarchy and it does not seem to add up as far as the % packets is concerned. I have TCP as 94.76%. But when I expand the selection for TCP, the protocols are around 0.03%, except 27.24% for SSL. I added up the protocols under TCP and it did not add up to 94.76%. It is barely 30%. Am I missing something? Thanks

asked 07 Feb '15, 12:48

jaja's gravatar image

jaja
6446
accept rate: 0%


2 Answers:

0

No, not really - it's just that the protocol hierarchy does not have an "other" row for the remaining percentage. Think of the missing rest of just that - data that Wireshark could not classify any further.

answered 07 Feb '15, 12:51

Jasper's gravatar image

Jasper ♦♦
23.8k551284
accept rate: 18%

Ahh... That makes sense... Thx

(07 Feb '15, 12:53) jaja

0

A packet must have data in it for Wireshark to classify it with the higher-level protocol. If it does not have any data, then Wireshark considers it TCP only. Packets on port 80 with data in them are HTTP, but packets on port 80 with no data are listed as TCP, not HTTP. Using this rule, connection establishment packets, connection termination packets, and ACK packets with no data are just TCP and are not further classified in the Protocol Hierarchy. You can see this same behavior in the Protocol column of the main Wireshark display. Assuming you're looking at a trace in which data is flowing in one direction only, most of the "missing" packets under TCP are probably ACK packets

answered 07 Feb '15, 14:33

Jim%20Aragon's gravatar image

Jim Aragon
7.2k733118
accept rate: 24%

I learn new things everyday. Thank you very much.

(07 Feb '15, 17:09) jaja