Huge thanks to our Platinum Members Endace and LiveAction,
and our Silver Member Veeam, for supporting the Wireshark Foundation and project.
Wireshark logo

Wireshark-users: [Wireshark-users] Question about tshark protocol hierarchy statistics (phs)

Date Prev · Date Next · Thread Prev · Thread Next
Date Index · Thread Index · Other Months · All Mailing Lists
From: Daniel Gramsch <dagra@xxxxxx>
Date: Tue, 08 Jul 2008 15:17:12 +0200
Hi,
probably I have a simple question, but I am a newbie with the wireshark toolset. So my question is about the PHS output of the tshark -z io,phs option. What is the difference between the http frames directly after the tcp frames (X) and the http frames after the tcp.segments frames (Y) (see the listing below)? Are these frames something else than "normal" http packets? And what does the tcp.segments stands for?
I had a look at http://www.wireshark.org/docs/dfref/t/tcp.html. There I found the hint, that tcp.segments are reassembled TCP segments. Are the among listed http packets therefore some kind of incomplete or something like that? 

Thanks for your help,
Daniel


===================================================================
Protocol Hierarchy Statistics
Filter: frame

frame                                 frames:3009563 bytes:1237262948
 eth                                   frames:3009563 bytes:1237262948
   ip                                   frames:2763059 bytes:1220107838
     ...
     tcp                                frames:1470740 bytes:1083581805
       ...
http frames:123475 bytes:113927238 (X) 
         ...
       tcp.segments               frames:40833 bytes:26965095
http frames:35403 bytes:21411395 (Y) 
         ...
===================================================================
Wireshark logo footer

© Wireshark Foundation · Privacy Policy

Facebook·Mastodon·Twitter·YouTube