In Wireshark's Protocol Hierarchy Statistics screen, is the total byte count of a capture the sum of the Bytes column or just the top line (Frame)?

Posted by Howiecamp on Server Fault See other posts from Server Fault or by Howiecamp
Published on 2010-12-23T14:51:55Z Indexed on 2010/12/23 14:55 UTC
Read the original article Hit count: 184

Part 1 - I'm looking at Wireshark's Protocol Hierarchy Statistics screen (sample below), is the total byte count of the capture the sum of the Bytes column or just the top line (Frame)?

I'm 99% that it's the latter because of protocol rollup but I wanted to conform.

Part 2 - From Wireshark documentation on this screen, "Protocol layers can consist of packets that won't contain any higher layer protocol, so the sum of all higher layer packets may not sum up to the protocols packet count. Example: In the screenshot TCP has 85,83% but the sum of the subprotocols (HTTP, ...) is much less. This may be caused by TCP protocol overhead, e.g. TCP ACK packets won't be counted as packets of the higher layer)."

Can you explain this?

© Server Fault or respective owner

Related posts about domain-controller

Related posts about wireshark