 | 1 | initial version |
There is a TCP option called "Timestamps" which are indeed extra bytes in the TCP header. These are generated by the endpoints to keep track of round-trip-times and also a protection against wrapping sequence numbers. This type of timestamps will be listed under the Options: part of the TCP header.
Then there are timestamps relative to the conversation, which are calculated by WIreshark and are not created by the endpoints and are not part of the TCP header (so the header length can stay at 20). This type of timestamps can be recognized by the [] brackets around the word Timestamps (as can be seen in the example @Chuckc gave in his comment).
From your question, I believe you are seeing the second type of timestamps.
