Ask Your Question

What does payload refer to?

asked 2021-03-16 17:10:17 +0000

AG111 gravatar image

updated 2021-03-16 17:36:52 +0000

grahamb gravatar image

Hi I am new to wireshark,

I have come across the term payload content many times but I am not sure of its meaning. If I were to click on a layer and see the breakdown.

I also want to know what the size of the payload means. Does it refer to everything after the highlighted frame. So for example if I were to click on ethernet II would the size of the payload content be 14 bytes which is the size of ethernet II. Or would payload content be everything after ethernet II so 500 bytes.

It says ethernet II, Internet Protocol Version, USP , DNS. Is the payload contents the arrow on the left where I can drop down and see the subsections. For example the payload content for DNS in my case would be what the drop down arrow on the left shows in my case is the payload content

Transaction ID: 0x48b7
    Flags: 0x0100 Standard query
        0... .... .... .... = Response: Message is a query
        .000 0... .... .... = Opcode: Standard query (0)
        .... ..0. .... .... = Truncated: Message is not truncated
        .... ...1 .... .... = Recursion desired: Do query recursively
        .... .... .0.. .... = Z: reserved (0)
        .... .... ...0 .... = Non-authenticated data: Unacceptable
    Questions: 1
    Answer RRs: 0
    Authority RRs: 0
    Additional RRs: 0
    Queries type A, class IN
    [Response In: 41]
edit retag flag offensive close merge delete

1 Answer

Sort by ยป oldest newest most voted

answered 2021-03-16 18:35:36 +0000

SYN-bit gravatar image

You have to look at "payload" from a protocol perspective. So for instance an ethernet II frame has a header consisting of 6 bytes of destination mac-address, 6 bytes of source mac-address and 2 bytes of ethertype. Afther the header comes the payload (as seen from the ethernet perspective) and then comes the 4 bytes of FCS.

You can see it as an envelope, the contents of the envelope is the payload. It can be a letter or it can be just another (smaller) envelope.

So in case of a DNS frame, the IP datagram is the payload, seen from the Ethernet layer. It consists of the IP header and the payload from the IP perspective. In this case the payload from the IP perspective consists of the UDP header and the UDP payload. Then the UDP payload consists of the DNS "packet". As the DNS packet does not encapsulate another protocol, you can see this as the final letter inside the UDP envelope inside the IP envelope inside the Ethernet envelope.

edit flag offensive delete link more

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Question Tools

1 follower


Asked: 2021-03-16 17:10:17 +0000

Seen: 32 times

Last updated: Mar 16