Ask Your Question

Revision history [back]

click to hide/show revision 1
initial version

How to calculate the TLS payload?


I am pretty new to Wireshark and trying to understand some basic concepts and terminology. I am analyzing a TCP dump file which contains traffic between an embedded device to remote server. I want to calculate the TLS/TCP payload size in this. As per my understanding, the "Conversations" tab shows the total bytes used that includes MAC, TCP and IP header. Now when I check the "Follow TCP Stream", the byte value shown for the "Entire Conversation" is lesser than "Conversations". I came across a similar post here In that it is mentioned to add a "tcp.len field as a custom column" to show the length of the TCP data segment. In my case the difference between "Length" column and "tcp.len" is always 66. But I am not sure how this value is calculated. Also, is the bytes shown in "Follow TCP Stream" the actual payload size? In the end I want to know the bytes consumed by TLS/TCP payload and headers.

Thanks in advance.