Mismatch between frame.protocols, _ws.col.Protocol, filter tag

[Marcin Nawrocki <marcin.nawrocki () fu-berlin de>]

Hi list,


I stumbled upon a mismatch across fields indicating the protocol. 
Consider this extract of traces from the public MAWI WIDE archive (no 
payload): https://www.cloudshark.org/captures/c9752d3184ee



*Case 1 [BVLC]*         *Case 2 [HART_IP]*      *Case 3 [enip]*

        
        
frame.protocols contains "bvlc" is true 
<https://www.cloudshark.org/captures/c9752d3184ee?filter=frame.protocols%20contains%20%22bvlc%22> 
	frame.protocols contains "hart_ip" is true 
<https://www.cloudshark.org/captures/c9752d3184ee?filter=frame.protocols%20contains%20%22hart_ip%22> 
	frame.protocols contains "enip" is true 
<https://www.cloudshark.org/captures/c9752d3184ee?filter=frame.protocols%20contains%20%22enip%22> 

_ws.col.Protocol shows UDP 	_ws.col.Protocol shows hart_ip 
_ws.col.Protocol shows ENIP
using display filter "bvlc" yields no results 
<https://www.cloudshark.org/captures/c9752d3184ee?filter=bvlc> 	using 
display filter "hart_ip" yields no result 
<https://www.cloudshark.org/captures/c9752d3184ee?filter=hart_ip> 	using 
display filter "enip" yields results 
<https://www.cloudshark.org/captures/c9752d3184ee?filter=enip>



Why do we see different behavior for case 1-3, how does it relate to the 
quality of the dissectors?


Cheers, Marcin

___________________________________________________________________________
Sent via:    Wireshark-users mailing list <wireshark-users () wireshark org>
Archives:    https://www.wireshark.org/lists/wireshark-users
Unsubscribe: https://www.wireshark.org/mailman/options/wireshark-users
             mailto:wireshark-users-request () wireshark org?subject=unsubscribe