Problem
Two small but semantically important sets are hardcoded in Java service classes:
TsharkEnrichmentService.java — TRANSPORT_LAYER (30 entries)
Used in selectBestProtocol() to filter out bare transport/link-layer labels (e.g. TCP, ARP, VLAN) from the _ws.col.Protocol frequency map, so that application-layer labels (e.g. HTTP, TLS, DNS) are preferred even when they appear on fewer packets than the transport-layer label.
NdpiService.java — SKIP_PROTOCOLS (6 entries)
Filters out nDPI labels that are transport-level placeholders (TCP, UDP, ICMP, ICMPv6, Unknown) rather than real application identifiers, so appName is not set to a meaningless transport-layer string.
Both are maintenance liabilities: adding a new encapsulation protocol (e.g. VXLAN, GENEVE, GTP) required editing source code.
Solution
TsharkEnrichmentService — replace _ws.col.Protocol with frame.protocols
Switch from -e _ws.col.Protocol to -e frame.protocols in the tshark command. The frame.protocols field emits the full colon-delimited protocol stack per packet, e.g.:
eth:ethertype:ip:tcp → pure TCP packet (no app layer)
eth:ethertype:ip:tcp:http → HTTP packet
eth:ethertype:ip:udp:dns → DNS packet
eth:ethertype:ip:tcp:tls → TLS packet
Taking the last element of the stack gives the deepest protocol Wireshark recognised — the application-layer label. If the last element equals the known L4 transport proto (already available from ip.proto), the packet carries no app-layer signal and is skipped. No hardcoded name list needed.
selectBestProtocol() simplifies to a plain max-by-frequency since the frequency map is pre-filtered at parse time.
NdpiService — derive skip check from the L4 proto
Replace the SKIP_PROTOCOLS set with an inline check against the l4proto already captured from the nDPI flow line:
if (appName.equalsIgnoreCase(l4proto) || "unknown".equalsIgnoreCase(appName)) appName = null;
nDPI reports the bare transport name (e.g. TCP) as the protocol when it cannot identify the application. Since l4proto is already parsed from the same line, no separate set is required.
Files Changed
backend/src/main/java/com/tracepcap/analysis/service/TsharkEnrichmentService.javabackend/src/main/java/com/tracepcap/analysis/service/NdpiService.java
Acceptance Criteria
Problem
Two small but semantically important sets are hardcoded in Java service classes:
TsharkEnrichmentService.java—TRANSPORT_LAYER(30 entries)Used in
selectBestProtocol()to filter out bare transport/link-layer labels (e.g.TCP,ARP,VLAN) from the_ws.col.Protocolfrequency map, so that application-layer labels (e.g.HTTP,TLS,DNS) are preferred even when they appear on fewer packets than the transport-layer label.NdpiService.java—SKIP_PROTOCOLS(6 entries)Filters out nDPI labels that are transport-level placeholders (
TCP,UDP,ICMP,ICMPv6,Unknown) rather than real application identifiers, soappNameis not set to a meaningless transport-layer string.Both are maintenance liabilities: adding a new encapsulation protocol (e.g.
VXLAN,GENEVE,GTP) required editing source code.Solution
TsharkEnrichmentService— replace_ws.col.Protocolwithframe.protocolsSwitch from
-e _ws.col.Protocolto-e frame.protocolsin the tshark command. Theframe.protocolsfield emits the full colon-delimited protocol stack per packet, e.g.:Taking the last element of the stack gives the deepest protocol Wireshark recognised — the application-layer label. If the last element equals the known L4 transport proto (already available from
ip.proto), the packet carries no app-layer signal and is skipped. No hardcoded name list needed.selectBestProtocol()simplifies to a plainmax-by-frequencysince the frequency map is pre-filtered at parse time.NdpiService— derive skip check from the L4 protoReplace the
SKIP_PROTOCOLSset with an inline check against thel4protoalready captured from the nDPI flow line:nDPI reports the bare transport name (e.g.
TCP) as the protocol when it cannot identify the application. Sincel4protois already parsed from the same line, no separate set is required.Files Changed
backend/src/main/java/com/tracepcap/analysis/service/TsharkEnrichmentService.javabackend/src/main/java/com/tracepcap/analysis/service/NdpiService.javaAcceptance Criteria
TRANSPORT_LAYERstatic set removed fromTsharkEnrichmentService_ws.col.Protocoltoframe.protocolsparseLine()extracts the last element of the protocol stack and skips it when it matches the L4 protoselectBestProtocol()simplified — no transport-layer filtering neededSKIP_PROTOCOLSstatic set removed fromNdpiServicel4protocomparison + explicitunknownguard