When dealing with extremely large capture files, we sometimes need to determine the distribution of protocols in the file—that is, what percentage of a capture is TCP, what percentage is IP, what percentage is DHCP, and so on. Rather than counting each packet and totaling the results, we can use Wireshark's Protocol Hierarchy Statistics window. This is a great way to benchmark your network. For instance, if you know that 10 percent of your network traffic is usually made up of ARP traffic, and one day you take a capture that is 50 percent ARP traffic, then you know something might be wrong.

Open the Protocol Hierarchy Statistics window (shown in Figure 5-6) by choosing Statistics ▸ Protocol Hierarchy.

Notice ...