Differences between revisions 7 and 8
Revision 7 as of 2006-06-09 03:25:44
Size: 2205
Editor: GeraldCombs
Comment:
Revision 8 as of 2008-04-12 17:51:30
Size: 2217
Editor: localhost
Comment: converted to 1.6 markup
Deletions are marked like this. Additions are marked like this.
Line 7: Line 7:
 * The "Data" is a protocol that has been disabled using Wireshark's [http://www.wireshark.org/docs/wsug_html_chunked/ChAdvProtocolDissectionSection.html#ChAdvEnabledProtocols Enabled Protocols] feature
 * The "Data" is a protocol that Wireshark supports, but doesn't recognize. If this is the case, you can use Wireshark's [http://www.wireshark.org/docs/wsug_html_chunked/ChAdvProtocolDissectionSection.html#ChAdvDecodeAs User Specified Decodes] feature or its protocol preferences to force the decoding of a protocol.
 * The "Data" is a protocol that has been disabled using Wireshark's [[http://www.wireshark.org/docs/wsug_html_chunked/ChAdvProtocolDissectionSection.html#ChAdvEnabledProtocols|Enabled Protocols]] feature
 * The "Data" is a protocol that Wireshark supports, but doesn't recognize. If this is the case, you can use Wireshark's [[http://www.wireshark.org/docs/wsug_html_chunked/ChAdvProtocolDissectionSection.html#ChAdvDecodeAs|User Specified Decodes]] feature or its protocol preferences to force the decoding of a protocol.
Line 13: Line 13:
The concept of "data" predates networking protocols and is outside the scope of this page. For a complete discussion, see the [http://en.wikipedia.org/wiki/Data the Wikipedia entry on data]. The concept of "data" predates networking protocols and is outside the scope of this page. For a complete discussion, see the [[http://en.wikipedia.org/wiki/Data|the Wikipedia entry on data]].
Line 21: Line 21:
attachment:data.png {{attachment:data.png}}
Line 36: Line 36:
A complete list of Data display filter fields can be found in the [http://www.wireshark.org/docs/dfref/d/data.html display filter reference] A complete list of Data display filter fields can be found in the [[http://www.wireshark.org/docs/dfref/d/data.html|display filter reference]]

data "protocol"

When Wireshark can't determine how part of a packet should be formatted, it marks that chunk as "Data". This can be caused by the following:

  • The "Data" is a protocol that Wireshark doesn't support.
  • The "Data" is a protocol that has been disabled using Wireshark's Enabled Protocols feature

  • The "Data" is a protocol that Wireshark supports, but doesn't recognize. If this is the case, you can use Wireshark's User Specified Decodes feature or its protocol preferences to force the decoding of a protocol.

  • The "Data" is just that - the normal data payload of a protocol.

History

The concept of "data" predates networking protocols and is outside the scope of this page. For a complete discussion, see the the Wikipedia entry on data.

Protocol dependencies

The data dissector doesn't directly depend on any protocol, but it can show up in any packet.

Example traffic

data.png

Wireshark

The data dissector is fully functional.

Preference Settings

There are no preferences for the data dissector. However, protocol preferences and other settings described above can affect its display.

Example capture file

XXX - Add a simple example capture file to the SampleCaptures page and link from here. Keep it short, it's also a good idea to gzip it to make it even smaller, as Wireshark can open gzipped files automatically.

Display Filter

A complete list of Data display filter fields can be found in the display filter reference

  • Show only packets where un-decoded data is present:

     data 

    Look for a specific URL in HTTP data:

      frame.protocols contains "http:data" and data contains "<a href=\"http://www.example.com\"" 

Capture Filter

You cannot directly filter data while capturing.

Discussion

Protocols/data (last edited 2008-04-12 17:51:30 by localhost)