First time here? Check out the FAQ!
THIS IS A TEST INSTANCE. Feel free to ask and answer questions, but take care to avoid triggering too many notifications.
Ask Your Question
0

Wireshark -Protocol Hierarchy Omitting large amount of subprotocol traffic

To Summarize, the total of my subprotocol/subvariant packet percentages do not sum up to its header

In this case: TCP= 97.1%, Subvariants/Subprotocols(Http,TLS,'Data')= ~30%. Nothing else

I understand Transport Layer Protocols may not need to add up incrementally, but I understand that subprotocols/subvariants within them should.

That's approximately ~70% of subprotocol behaviour that is not being viewed or captured by Wireshark? This concerns me as I do not run any ecclectic services or protocols on my device, this is a simple browsing/gaming PC.

From my understanding if Wireshark cannot dissect particular protocols or information, it would automatically assign packets to either 'Data' or 'Other' Subvariants under a header. However even this is not present so what may best describe this, or how may I go about figuring it out what this remaining traffic is.

A user on another forum suggested using an analysis tool like sflow

Nilstorm's avatar
1
Nilstorm
asked 2021-11-19 10:18:55 +0000, updated 2021-11-19 10:41:12 +0000
edit flag offensive 0 remove flag close merge delete

Comments

Is the question about the math not adding up or missing protocols?
Here is an example with a large number of TCP packets reassembled into higher protocol packets.

Chuckc's avatar Chuckc (2021-11-19 13:55:03 +0000) edit
more
  • delete
add a comment see more comments

1 Answer

0
I understand Transport Layer Protocols may not need to add up incrementally, but I understand that subprotocols/subvariants within them should.

Well, no, because of how Wireshark classifies traffic. If a packet is over port 80 and has data, Wireshark will classify it as HTTP, running on TCP. If the packet is empty--no data--Wireshark will classify it as simply TCP, not as HTTP even though it's over port 80. So empty packets--handshake packets, acknowledgement packets, FIN packets--will all be classified as TCP, and not as the higher level protocol, in this case HTTP. This is true for all protocols that run on TCP.

So the total number of packets for protocols running on TCP will never be the same as the total number of TCP packets in the Protocol Hierarchy. The difference is the number of packets with no data. You can also see this in the Protocol column in the Packet List pane. The Protocol column shows the highest level protocol that Wireshark can identify. In an HTTP stream, you will see that some packets show HTTP in the Protocol column, and some show just TCP. The ones listed as TCP have no data.

Jim Aragon's avatar
7.5k
Jim Aragon
answered 2021-11-19 15:31:56 +0000
edit flag offensive 0 remove flag delete link
more

Comments

Okay thanks this clarifies it along with Chuckc's example. So if im understanding correctly TCP will account for TCP instances as well as higher protocols that use TCP in providing the % packet count.

But if there is a % packet count for a higher protocol like TLS for example, is this amount calculated in the header's total value or does it stand seperately? e.g TCP 97.1% packets, TLS 20.3% packets.

EDIT: I realize it could be both as a packet can be detected to have several protocols?

Nilstorm's avatar Nilstorm (2021-11-20 05:37:21 +0000) edit
more
  • delete
add a comment see more comments

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account. This space is reserved only for answers. If you would like to engage in a discussion, please instead post a comment under the question or an answer that you would like to discuss.

Add Answer