Hello,
I am pretty new to Wireshark and trying to understand some basic concepts and terminology. I am analyzing a TCP dump file which contains traffic between an embedded device to remote server. I want to calculate the TLS/TCP payload size in this. As per my understanding, the "Conversations" tab shows the total bytes used that includes MAC, TCP and IP header. Now when I check the "Follow TCP Stream", the byte value shown for the "Entire Conversation" is lesser than "Conversations". I came across a similar post here https://osqa-ask.wireshark.org/questions/35922/how-is-the-of-bytes-calculated-for-entire-conversation-of-follow-tcp-stream/. In that it is mentioned to add a "tcp.len field as a custom column" to show the length of the TCP data segment. In my case the difference between "Length" column and "tcp.len" is always 66. But I am not sure how this value is calculated. Also, is the bytes shown in "Follow TCP Stream" the actual payload size? In the end I want to know the bytes consumed by TLS/TCP payload and headers.
Thanks in advance.