Ask Your Question
0

What is the difference between “TCP payload” and “TCP segment data”?

asked 2018-06-12 03:49:02 +0000

pengu1n gravatar image

updated 2018-06-12 03:55:56 +0000

I see in a Wireshark trace "TCP payload (1460 bytes)" and "TCP segment data (1398 bytes). (This is from the first TCP segment corresponding to a TLS "Server hello" and there are three other segments that follow this.)

My question is what is the difference between "TCP payload" and "TCP segment data"?

image description

(Note: I also asked at https://stackoverflow.com/questions/5...)!

edit retag flag offensive close merge delete
add a comment

1 Answer

Sort by » oldest newest most voted
0

answered 2018-06-12 11:14:49 +0000

Jaap gravatar image

As you probably know TCP is a stream transport, which means it is intended to transport bytes, without any structure applied to them. Many higher layer protocols (e.g., Transport Layer Security) are based on messages, records, PDU based, or whatever it is called in that protocol. It defines a structure to the bytes. Obviously there's a disconnect here. To make matters worse, the TCP layer itself uses a packet based transport (IP) to get the data stream across the network.

So, from the example, we receive an Ethernet frame, with an IP packet. This packet contains a TCP packet, which contains part of a data stream (ref TCP payload). Fortunately the TCP dissector, together with the higher layer protocol dissector, is able to figure out what part of the TCP payload is relevant for a particular higher layer protocol. This is handed off to the higher layer protocol dissector to be dissected (in this case the TLS "Server Hello").

But what about the rest of the TCP payload? Well, if there are no other takers, being higher layer protocols satisfied that that blob of data is a valid/complete PDU for them and leave it to the TCP dissector to come up with more data first. Which it can't because the TCP payload is exhausted. Therefore the rest of the payload data must be a segment (ref TCP segment) of a larger PDU for the higher layer protocol.

You can find that PDU if you follow the TCP streams' packets where you eventually find a TCP packet which has a Reassembled TCP segments section in it referencing the frame where you found the TLS Server Hello and the remaining TCP segment data. There the whole PDU is reassembled and handed of the higher layer dissector.

For your packet, you should be able to verify this as the TCP payload is 1460 and the TCP segment data (the data remaining) is 1398 that the Server Hello record is 62 bytes long.

As an aside, packets that carry only TCP segment data have a reference added to them to the frame where the reassembly into a complete PDU is done. Unfortunately this reference is not included in TCP packets where part of the payload is dissected. I think that deserves a bug report. It could have avoided this question.

edit flag offensive delete link more

Comments

Thank you Jaap. That perfectly answers my question. Much appreciated. Sorry, being a newbie to this forum, I cannot upvote your answer (I need more than 15 points it seems to do so).

If I could ask one little clarification please: The Server Hello record says the length is 57 bytes. Where does the extra 5 bytes (62-57=5) go? I see that all TLS records have a length 5 byte less than what TCP reports. I looked into TLS record structure and could not figure this out.

pengu1n gravatar imagepengu1n ( 2018-06-12 19:50:16 +0000 )edit

The remaining 5 bytes are the TLS record header length (content type = 1 byte, version = 2 bytes, length = 2 bytes)

alajeb gravatar imagealajeb ( 2020-04-20 20:48:29 +0000 )edit
add a comment

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Question Tools

1 follower

subscribe to rss feed

Stats

Asked: 2018-06-12 03:49:02 +0000

Seen: 34,905 times

Last updated: Jun 12 '18

Related questions

Client is waiting for FIN flag from server for 30 sec

Is it possible that wireshark doesn't recognize protocol?

Download Request failure, Client Machine sending FIN, ACK - [RESOLVED]

How to "follow http stream" for single line in wireshark?

Wireshark 2.4.1 GTK Crash on long run

Why redirection of VoIP calls to voicemail fails?

Why there is port mismatch in tcp and http header for port 51006. Also why the netstat in server do not shows connections under port 51006 even traffic is coming to this port.

Capture incoming packets from remote web server

How do I get and display packet data information at a specific byte from the first byte?

wifi disconnects as wireshark starts

Copyright Wireshark Foundation, 2017-2023 Content on this site is licensed under a Creative Commons Attribution Share Alike 3.0 license.
about | faq | help | privacy policy | terms of service
Powered by Askbot version 0.10.2