Ask Your Question

What is the difference between “TCP payload” and “TCP segment data”?

asked 2018-06-12 03:49:02 +0000

pengu1n gravatar image

updated 2018-06-12 03:55:56 +0000

I see in a Wireshark trace "TCP payload (1460 bytes)" and "TCP segment data (1398 bytes). (This is from the first TCP segment corresponding to a TLS "Server hello" and there are three other segments that follow this.)

My question is what is the difference between "TCP payload" and "TCP segment data"?

image description

(Note: I also asked at!

edit retag flag offensive close merge delete

1 Answer

Sort by » oldest newest most voted

answered 2018-06-12 11:14:49 +0000

Jaap gravatar image

As you probably know TCP is a stream transport, which means it is intended to transport bytes, without any structure applied to them. Many higher layer protocols (e.g., Transport Layer Security) are based on messages, records, PDU based, or whatever it is called in that protocol. It defines a structure to the bytes. Obviously there's a disconnect here. To make matters worse, the TCP layer itself uses a packet based transport (IP) to get the data stream across the network.

So, from the example, we receive an Ethernet frame, with an IP packet. This packet contains a TCP packet, which contains part of a data stream (ref TCP payload). Fortunately the TCP dissector, together with the higher layer protocol dissector, is able to figure out what part of the TCP payload is relevant for a particular higher layer protocol. This is handed off to the higher layer protocol dissector to be dissected (in this case the TLS "Server Hello").

But what about the rest of the TCP payload? Well, if there are no other takers, being higher layer protocols satisfied that that blob of data is a valid/complete PDU for them and leave it to the TCP dissector to come up with more data first. Which it can't because the TCP payload is exhausted. Therefore the rest of the payload data must be a segment (ref TCP segment) of a larger PDU for the higher layer protocol.

You can find that PDU if you follow the TCP streams' packets where you eventually find a TCP packet which has a Reassembled TCP segments section in it referencing the frame where you found the TLS Server Hello and the remaining TCP segment data. There the whole PDU is reassembled and handed of the higher layer dissector.

For your packet, you should be able to verify this as the TCP payload is 1460 and the TCP segment data (the data remaining) is 1398 that the Server Hello record is 62 bytes long.

As an aside, packets that carry only TCP segment data have a reference added to them to the frame where the reassembly into a complete PDU is done. Unfortunately this reference is not included in TCP packets where part of the payload is dissected. I think that deserves a bug report. It could have avoided this question.

edit flag offensive delete link more


Thank you Jaap. That perfectly answers my question. Much appreciated. Sorry, being a newbie to this forum, I cannot upvote your answer (I need more than 15 points it seems to do so).

If I could ask one little clarification please: The Server Hello record says the length is 57 bytes. Where does the extra 5 bytes (62-57=5) go? I see that all TLS records have a length 5 byte less than what TCP reports. I looked into TLS record structure and could not figure this out.

pengu1n gravatar imagepengu1n ( 2018-06-12 19:50:16 +0000 )edit

The remaining 5 bytes are the TLS record header length (content type = 1 byte, version = 2 bytes, length = 2 bytes)

alajeb gravatar imagealajeb ( 2020-04-20 20:48:29 +0000 )edit

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Question Tools

1 follower


Asked: 2018-06-12 03:49:02 +0000

Seen: 33,858 times

Last updated: Jun 12 '18