-2

I ran wireshark and windump at the same time. Both packet analyzers use the same winpcap library.

However after doing a row by row comparison of the results I noticed both every column between the 2 matches except for the protocol and info columns, 40% of the protocol column values did not match even though all the source, destination, length columns did.

So I was wondering why is there a 40% difference between the protocol columns when both analyzers use the same winpcap library and which packet capture should I trust to be most accurate?

techraf
  • 4,243
  • 8
  • 29
  • 44
DAT BOI
  • 1
  • 1
  • 2

2 Answers2

4

The protocol field is the application's best guess at the nature of the protocol. It is not part of the actual capture.

EEAA
  • 109,363
  • 18
  • 175
  • 245
  • Thanks for the reply. Could explain further, which application are you talking about? – DAT BOI Mar 28 '16 at 01:24
  • The application that is interpreting the packet capture taken by your pcap library. – EEAA Mar 28 '16 at 01:24
  • Oh ok, is there any way to determine which packet capture is more accurate between wireshark and windump? – DAT BOI Mar 28 '16 at 01:32
  • You're missing the point. As you determined in your [your last question](https://serverfault.com/questions/764973/experiment-wireshark-vs-windump), the captures are the same. The two applications are interpreting the exact same capture in different ways. – EEAA Mar 28 '16 at 01:36
0

tcpdump, and thus WinDump (which is a port of the tcpdump code to Windows), doesn't have a protocol column per se. Here's some tcpdump output from my machine:

11:11:52.409447 IP 192.168.42.69.45779 > broadcasthost.ssdp: UDP, length 378
11:11:52.717007 IP 192.168.42.69.45779 > broadcasthost.ssdp: UDP, length 431
11:11:52.921460 IP 192.168.42.69.45779 > broadcasthost.ssdp: UDP, length 381
11:11:53.068266 IP 192.168.42.66.49778 > my.isp.net.domain: 38666+ PTR? 69.42.168.192.in-addr.arpa. (44)
11:11:53.123356 ARP, Request who-has 192.168.42.66 (Broadcast) tell 192.168.42.1, length 46
11:11:53.123383 ARP, Reply 192.168.42.66 is-at ac:bc:32:7e:1a:69 (oui Unknown), length 28
11:11:53.128804 IP my.isp.net.domain > 192.168.42.66.49778: 38666 NXDomain* 0/1/0 (93)
11:11:53.129931 IP 192.168.42.66.52809 > my.isp.net.domain: 17704+ PTR? 255.255.255.255.in-addr.arpa. (46)
11:11:53.161878 IP my.isp.net.domain > 192.168.42.66.52809: 17704* 0/1/0 (109)

The first three lines are UDP packets - they're probably SSDP packets, as they're going to the standard port for SSDP (from the ".ssdp" in the destination endpoint), but tcpdump doesn't try to dissect SSDP.

The rest are DNS packets, but there's nothing saying "DNS" there.

So there really aren't protocol columns to compare between tcpdump/WinDump and Wireshark dissections.

Both of them look at the raw packet data to try to determine the protocols being used, and both of them do so differently and can get different results, even when looking at the exact same capture file. Wireshark does a lot more work than tcpdump/WinDump, so it's more likely, in general, to determine the correct top-level protocol.