lotsofweb.pcap

When dealing with extremely large capture files, you sometimes need to determine the distribution of protocols in the file—that is, what percentage of a capture is TCP, IP, DHCP, and so on. Rather than counting each packet and totaling the results, you can use Wireshark’s Protocol Hierarchy Statistics window, which is a great way to benchmark your network. For instance, if you know that 10 percent of your network traffic is usually made up of ARP traffic, and one day you take a capture that is 50 percent ARP traffic, then you know something might be wrong.

With the lotsofweb.pcap file still open, open the Protocol Hierarchy Statistics window (shown in Figure 5-6) by choosing Statistics ▸ Protocol Hierarchy ...