what is wireshark protocol column?

Question

I justt have started learning networks and I don't understand how wireshak decides what protocol to display? it usually displays the third layer protocol (TCP\UDP), but wht not the protocolof the second or forth layer? for example:

Answer 1

Wireshark has separate bits of code called "dissectors" that process different protocols. For example, the TCP dissector handles the TCP header and options, the DNS dissector handles DNS request and response fields, and so on.

You can see this in action in the packet detail view. For example, if I select a packet and the detail shows the following:

Frame 267: 419 bytes on wire (3352 bits), 419 bytes captured (3352 bits)
Ethernet II, Src: 00:50:56:c0:00:01, Dst: 00:0c:29:42:12:13
Internet Protocol Version 4, Src: 93.49.13.169 (93.49.13.169), Dst: 172.16.0.122 (172.16.0.122)
Transmission Control Protocol, Src Port: 2035, Dst Port: 80, Seq: 1, Ack: 1, Len: 365
Hypertext Transfer Protocol

This shows that packet processing started with the "Frame" dissector (it always does), which passed the packet to the Ethernet dissector, followed by the IPv4, TCP, and HTTP dissector.

Each dissector usually (but not always) sets the protocol column to its name. For example, the TCP dissector sets the protocol column value to "TCP", and the IPv4 dissector sets it to "IPv4".

What does the protocol column show? Whatever the highest-layer dissector that sets the protocol column put there. The last one wins.