When Wireshark can't determine how part of a packet should be formatted, it marks that chunk as "Data". This can be caused by the following:
- The "Data" is a protocol that Wireshark doesn't support.
The "Data" is a protocol that has been disabled using Wireshark's Enabled Protocols feature
The "Data" is a protocol that Wireshark supports, but doesn't recognize. If this is the case, you can use Wireshark's User Specified Decodes feature or its protocol preferences to force the decoding of a protocol.
- The "Data" is just that - the normal data payload of a protocol.
The concept of "data" predates networking protocols and is outside the scope of this page. For a complete discussion, see the the Wikipedia entry on data.
The data dissector doesn't directly depend on any protocol, but it can show up in any packet.
The data dissector is fully functional.
There are no preferences for the data dissector. However, protocol preferences and other settings described above can affect its display.
Example capture file
XXX - Add a simple example capture file to the SampleCaptures page and link from here. Keep it short, it's also a good idea to gzip it to make it even smaller, as Wireshark can open gzipped files automatically.
A complete list of Data display filter fields can be found in the display filter reference
Show only packets where un-decoded data is present:
Look for a specific URL in HTTP data:
frame.protocols contains "http:data" and data contains "<a href=\"http://www.example.com\""
You cannot directly filter data while capturing.