 | 1 | initial version |
tcp.len is the size of the TCP data c.q. payload. The length of the frame minus tcp.len gives you the TCP header size plus the size of the underlying protocols (IP, Ethernet). So that is the size of the protocol overhead.
For TCP, TLS is just payload.
The payload of TLS is send in "Application Data" records (tls.record.content_type == 23). The size is available as tls.record.length and is the TLS payload plus MAC (Message Authentication Code). The size of the MAC depends on the hash used. For example 32 bytes for SHA256. So the TLS payload size is tls.record.length minus MAC length.
