I tried to analyze a specific TCP stream with filter like "tcp.stream eq 16", which then show me all the packets in this stream. Then I select one of the packet, and select "Follow TCP Stream", a window was popped up. And below the Stream Content, it shows "Entire conversation (6817 bytes)". However, if I add up the value in the "Length" column for all packets in the stream, the sum is 8575, which is a lot larger than 6817. I'm just wondering how the value "6817" was calculated.
asked 02 Sep '14, 00:10
The "Follow TCP Stream" probably calculates the TCP payload size, while the length column also contains the overhead of the protocol headers for Ethernet, IP and TCP. So it should be larger.
answered 02 Sep '14, 03:47