I'm using the Wireshark for the first time :) I'd like to ask you guys what's the difference between the total bytes in the message and the total number of bytes in the whole frame? Also, how can I get them from the [app after captured]?
Looking forward to hearing from you soon!
asked 30 Aug '12, 19:46
edited 31 Aug '12, 00:23
Please Spend more time with wireshark to do your homework.
Please download the sample Http capture file http://wiki.wireshark.org/SampleCaptures?action=AttachFile&do=view&target=http.cap.
I will take the packet number 4 as example. The frame length is the entire packet length which came through the wire to your network card.
What your asking is the Application length over IP/TCP for that check this image below . Check the length of "IP->Total length" = ( ip header length + Tcp Header length+ application) .
So the ip header says 519 ,So subtract 20 Bytes of ip header and 20 bytes of tcp header .
The HTTP message length = 519 -20- 20 = 479 bytes.
Note :I have shown the http as application it can be any other application its decodes based on destination port. And if any application is UDP over IP insted of TCP then subtract 8 bytes as Lenght of UDP is 8 bytes.
answered 02 Sep '12, 23:16