THIS IS A TEST INSTANCE. Feel free to ask and answer questions, but take care to avoid triggering too many notifications.
Ask Your Question

Revision history  [back]

Revision 1
André's avatar
176
André
answered 2023-06-08 21:01:10 +0000

tcp.len is the size of the TCP data c.q. payload. The length of the frame minus tcp.len gives you the TCP header size plus the size of the underlying protocols (IP, Ethernet). So that is the size of the protocol overhead.
For TCP, TLS is just payload.

The payload of TLS is send in "Application Data" records (tls.record.content_type == 23). The size is available as tls.record.length and is the TLS payload plus MAC (Message Authentication Code). The size of the MAC depends on the hash used. For example 32 bytes for SHA256. So the TLS payload size is tls.record.length minus MAC length.