asked on

wireshark protocol hierarchy

I am looking at the Protocol Hierarchy for TCP in the Statistics>Protocol Hierarchy and it does not seem to add up as far as the % packets is concerned. I have TCP as 94.76%. But when I expand the selection for TCP, the protocols are around 0.03%, except 27.24% for SSL. I added up the protocols under TCP and it did not add up to 94.76%. It is barely 30%. Am I missing something? Thanks

UnHeardOf

If you look over one column you'll see the total number of packets. If you perform a filter in the capture you should see that the total number of TCP packets match that column. Next do a filter for HTTP in the capture and if you look at the packet details you'll notice that it uses tcp which is a sub category of tcp in the protocol statistics.

leblanc

ASKER

Attached is the pic of my tcp protocol hierarchy statistics. If I added everything under TCP, it is not equal to 94.76%.

SOLUTION

UnHeardOf

membership

This solution is only available to members.

To access this solution, you must be a member of Experts Exchange.

Start Free Trial

leblanc

ASKER

"94.76% of the packets are TCP. Of those TCP packets 27.24% are SSL" I agree with you.
"If you had up all the items under TCP and subtract that from the TCP % thats the percentage that are just defined as TCP" I don't understand this. To me if tcp is 94.76% and everything under that (from ssl to dns) should add up to that 94.76%. No?

ASKER CERTIFIED SOLUTION

UnHeardOf

membership

This solution is only available to members.

To access this solution, you must be a member of Experts Exchange.

Start Free Trial

jburgaard

These 'just TCP' are in control of the TCP-flow , like the packet I received was OK , you may speed up, slow down please, resend or whatever.

leblanc

ASKER

ok. yes now I see what you meant. The difference between the tcp % and the actual tcp% is the tcp that is not shown here. So that makes sense. I did not know that. I thought that some packets were dropped.