data "protocol"

When Wireshark can't determine how part of a packet should be formatted, it marks that chunk as "Data". This can be caused by the following:

  • The "Data" is a protocol that Wireshark doesn't support.

  • The "Data" is a protocol that has been disabled using Wireshark's Enabled Protocols feature

  • The "Data" is a protocol that Wireshark supports, but doesn't recognize. If this is the case, you can use Wireshark's User Specified Decodes feature or its protocol preferences to force the decoding of a protocol.

  • The "Data" is just that - the normal data payload of a protocol.


The concept of "data" predates networking protocols and is outside the scope of this page. For a complete discussion, see the the Wikipedia entry on data.

Protocol dependencies

The data dissector doesn't directly depend on any protocol, but it can show up in any packet.

Example traffic



The data dissector is fully functional.

Preference Settings

There are no preferences for the data dissector. However, protocol preferences and other settings described above can affect its display.

Example capture file

XXX - Add a simple example capture file to the SampleCaptures page and link from here. Keep it short, it's also a good idea to gzip it to make it even smaller, as Wireshark can open gzipped files automatically.

Display Filter

A complete list of Data display filter fields can be found in the display filter reference

Show only packets where un-decoded data is present:


Look for a specific URL in HTTP data:

frame.protocols contains "http:data" and data contains "<a href=\"\"" 

Capture Filter

You cannot directly filter data while capturing.

External links


Imported from on 2020-08-11 23:19:19 UTC