Hi,
probably I have a simple question, but I am a newbie with the wireshark
toolset. So my question is about the PHS output of the tshark -z io,phs
option. What is the difference between the http frames directly after
the tcp frames (X) and the http frames after the tcp.segments frames (Y)
(see the listing below)? Are these frames something else than "normal"
http packets? And what does the tcp.segments stands for?
I had a look at http://www.wireshark.org/docs/dfref/t/tcp.html. There I
found the hint, that tcp.segments are reassembled TCP segments. Are the
among listed http packets therefore some kind of incomplete or something
like that?
Thanks for your help,
Daniel
===================================================================
Protocol Hierarchy Statistics
Filter: frame
frame frames:3009563 bytes:1237262948
eth frames:3009563 bytes:1237262948
ip frames:2763059 bytes:1220107838
...
tcp frames:1470740 bytes:1083581805
...
http frames:123475
bytes:113927238 (X)
...
tcp.segments frames:40833 bytes:26965095
http frames:35403 bytes:21411395
(Y)
...
===================================================================