I ran wireshark and windump at the same time. Both packet analyzers use the same winpcap library.
However after doing a row by row comparison of the results I noticed both every column between the 2 matches except for the protocol and info columns, 40% of the protocol column values did not match even though all the source, destination, length columns did.
So I was wondering why is there a 40% difference between the protocol columns when both analyzers use the same winpcap library and which packet capture should I trust to be most accurate?
Answer
The protocol field is the application’s best guess at the nature of the protocol. It is not part of the actual capture.
Attribution
Source : Link , Question Author : DAT BOI , Answer Author : EEAA
