Wireshark
the world's foremost network protocol analyzer
Wireshark-users: [Wireshark-users] Question about tshark protocol hierarchy statistics (phs)
From: Daniel Gramsch <dagra@xxxxxx>
Date: Tue, 08 Jul 2008 15:17:12 +0200
Hi,probably I have a simple question, but I am a newbie with the wireshark toolset. So my question is about the PHS output of the tshark -z io,phs option. What is the difference between the http frames directly after the tcp frames (X) and the http frames after the tcp.segments frames (Y) (see the listing below)? Are these frames something else than "normal" http packets? And what does the tcp.segments stands for?
I had a look at http://www.wireshark.org/docs/dfref/t/tcp.html. There I found the hint, that tcp.segments are reassembled TCP segments. Are the among listed http packets therefore some kind of incomplete or something like that?
Thanks for your help,
Daniel
===================================================================
Protocol Hierarchy Statistics
Filter: frame
frame frames:3009563 bytes:1237262948
eth frames:3009563 bytes:1237262948
ip frames:2763059 bytes:1220107838
...
tcp frames:1470740 bytes:1083581805
...
http frames:123475
bytes:113927238 (X)
...
tcp.segments frames:40833 bytes:26965095
http frames:35403 bytes:21411395
(Y)
...
===================================================================
- Prev by Date: Re: [Wireshark-users] Capturing Giant Packets Only
- Next by Date: Re: [Wireshark-users] BPDU packets
- Previous by thread: Re: [Wireshark-users] how to print time with epoch formation by tshark
- Next by thread: [Wireshark-users] Does Wireshark modify the Ethernet Interface in ANY way while capturing?
- Index(es):