Have a look at RFC 792 page 14 where Echo or Echo Reply Message are defined. As you can see there's an 8 byte header defined and a subsequent data field. The data field is known to optionally start with a timestamp, and if so detected this is shown by Wireshark. Be aware that is says: Timestamp from icmp data: <timestamp>, which shows that the timestamp is actually part of the data field. Adding the 8 bytes of the timestamp to the raw data field gets you the 56 bytes you were looking for.