I tried to analyze a specific TCP stream with filter like "tcp.stream eq 16", which then show me all the packets in this stream. Then I select one of the packet, and select "Follow TCP Stream", a window was popped up. And below the Stream Content, it shows "Entire conversation (6817 bytes)". However, if I add up the value in the "Length" column for all packets in the stream, the sum is 8575, which is a lot larger than 6817. I'm just wondering how the value "6817" was calculated. asked 02 Sep '14, 00:10  zeal |
One Answer:
The "Follow TCP Stream" probably calculates the TCP payload size, while the length column also contains the overhead of the protocol headers for Ethernet, IP and TCP. So it should be larger. answered 02 Sep '14, 03:47  Jasper ♦♦ |
As Jasper said, "Follow TCP Stream" does not include the headers, while the Length column does. If you want the numbers to match, you can add the tcp.len field as a custom column. That is the length of the TCP data segment, not including any headers.