This is a static archive of our old Q&A Site. Please post any new questions and answers at

How to know the total bytes in the message ?


Hey guys,

I'm using the Wireshark for the first time :) I'd like to ask you guys what's the difference between the total bytes in the message and the total number of bytes in the whole frame? Also, how can I get them from the [app after captured]?

Looking forward to hearing from you soon!


asked 30 Aug '12, 19:46

Acalifornia's gravatar image

accept rate: 0%

edited 31 Aug '12, 00:23

Jaap's gravatar image

Jaap ♦

Keep in mind that Wireshark works from the 'the wire' up, that means that it knows about the bytes in the whole frame and works its way up from there. There's no definition of what 'the message' is, so you'll have to elaborate on that first.

(31 Aug '12, 00:26) Jaap ♦

Thanks but I got a book in computer network field and in its website has some assignments and I try to answer the questions. I did all the steps explained in the book but can't answer some of the questions which are what I asked :)

please if you don't mind to look at it here: (assignment 1)


(31 Aug '12, 16:11) Acalifornia

Any help folks?

(02 Sep '12, 16:57) Acalifornia

One Answer:


Please Spend more time with wireshark to do your homework.

Please download the sample Http capture file

I will take the packet number 4 as example. The frame length is the entire packet length which came through the wire to your network card.

What your asking is the Application length over IP/TCP for that check this image below . Check the length of "IP->Total length" = ( ip header length + Tcp Header length+ application) .

So the ip header says 519 ,So subtract 20 Bytes of ip header and 20 bytes of tcp header .

The HTTP message length = 519 -20- 20 = 479 bytes.

Note :I have shown the http as application it can be any other application its decodes based on destination port. And if any application is UDP over IP insted of TCP then subtract 8 bytes as Lenght of UDP is 8 bytes.

alt text

answered 02 Sep '12, 23:16

Harsha's gravatar image

accept rate: 0%

I have attached the image which shows TCP header length alt text

(02 Sep '12, 23:25) Harsha

Thanks for your help :)

To be honest, what you explained is what I did before asking my question. I was confused about the two questions in the assignment which are the total number of bytes in the whole frame and the total bytes in the message (at the application layer).

I've attached an image to show you what I did.

alt text

So, in this case: (as I understand): whole frame: 436 bytes, IP header: 20 bytes, TCP header: 32 bytes, Total bytes in the whole message: 422 - (20+32) = 370 bytes (as you explained).

Correct? ,

How about the number of bytes in the Ethernet? 0 bytes?

(03 Sep '12, 17:30) Acalifornia

yes 370 bytes.

Ethernet frame is of 14 bytes Which is not included in IP total length.

(03 Sep '12, 22:56) Harsha

Thank you! I gotta a question: How did we know that the Ethernet frame is of 14 bytes ? Do we calculate it as: whole frame - IP total length = 436 - 422 = 14 bytes ?

(04 Sep '12, 02:25) Acalifornia

I've converted your "answers" to comments as that's how this site works. Please read the FAQ for more info.

If someone provides an answer that resolves your issue, please accept it by clicking the checkmark icon next to the answer.

(04 Sep '12, 02:39) grahamb ♦