I'm trying to calculate how much bandwidth is utilised for a particular protocol, at the different layers.
Wireshark Protocol Hierarchy gives something like this:
Protocol %Bytes Bytes
Frame 100% 158223
Ethernet 100% 158223
IPv4 100% 158223
TCP 100% 158223
HTTP 32.3% 50786
SSL 8.03 12708
Now what that mean? Its obvious that all traffic was TCP, and of that, some was HTTP and some SSL.
But what confuses me is that the Byte count for Layers 1, 2, 3 and 4 are all the same. So is 158223 the size of the TCP traffic, or the frame?
I would expect each higher layer to be less, to the value of the header overhead. So something like this:
Protocol %Bytes Bytes
Frame 100% 158223
Ethernet 100% 157000 (158223 - x per packet, where x is Frame overhead)
IPv4 100% 154000 (157000 - 18 bytes per packet Ethernet overhead)
TCP 100% 152000 (154000 - 20 bytes per packet IPv4 overhead)
HTTP 32.3% 50786
SSL 8.03 12708
Best Answer
Generally speaking, everything you capture at L2 is a frame, no matter if it is Ethernet, FDDI, ATM, etc. In your example of the 158223 bytes captured, 100% were Ethernet frames.
100% bytes of those frames contained L3 information. In your example, 100% of them are IPv4 packets. They could also include IPv6 or some other L3 protocol (or contain no L3 information at all).
100% bytes of those packets contain L4 information. In your examples, 100% of them are TCP segments. They could also include UDP for example.
Of those segments, 32.4% bytes are HTTP and bytes 8.03% are SSL.
So, to answer your question, 158223 is the size of both the TCP traffic and the frame traffic (as well as the Ethernet and the IPv4 traffic).