How Wireshark knows where TCP header ends and TCP payload begins. In the IP header, there are two values that indicate the length of the TCP/IP in a specific packet. If you subscribe "Header Length" from "Total Length" (Total Length - Header Length = TCP header and data) in IP header you will get a total length of TCP Header and data. I'm looking a method to get a length of TCP data only. asked 17 May '15, 00:55  Namik |
3 Answers:
IP has two values: IP header length, and IP total length. TCP size (header plus payload) is IP total length minus IP header length. TCP payload size is TCP size minus TCP header length. answered 17 May '15, 02:35  Jasper ♦♦ |
From TCP/IP Guide: "Data Offset: Specifies the number of 32-bit words of data in the TCP header. In other words, this value times four equals the number of bytes in the header, which must always be a multiple of four. It is called a “data offset” since it indicates by how many 32-bit words the start of the data is offset from the beginning of the TCP segment." answered 17 May '15, 02:44  Jaap ♦ |
what about the display filter, tcp.len which can be added as a column.
Regards answered 17 May '15, 06:09  Kurt Knochner ♦ |
