First time here? Check out the FAQ!
THIS IS A TEST INSTANCE. Feel free to ask and answer questions, but take care to avoid triggering too many notifications.
Ask Your Question
0

What does payload refer to?

  • retag add tags

Hi I am new to wireshark,

I have come across the term payload content many times but I am not sure of its meaning. If I were to click on a layer and see the breakdown.

I also want to know what the size of the payload means. Does it refer to everything after the highlighted frame. So for example if I were to click on ethernet II would the size of the payload content be 14 bytes which is the size of ethernet II. Or would payload content be everything after ethernet II so 500 bytes.

It says ethernet II, Internet Protocol Version, USP , DNS. Is the payload contents the arrow on the left where I can drop down and see the subsections. For example the payload content for DNS in my case would be what the drop down arrow on the left shows in my case is the payload content 

Transaction ID: 0x48b7
    Flags: 0x0100 Standard query
        0... .... .... .... = Response: Message is a query
        .000 0... .... .... = Opcode: Standard query (0)
        .... ..0. .... .... = Truncated: Message is not truncated
        .... ...1 .... .... = Recursion desired: Do query recursively
        .... .... .0.. .... = Z: reserved (0)
        .... .... ...0 .... = Non-authenticated data: Unacceptable
    Questions: 1
    Answer RRs: 0
    Authority RRs: 0
    Additional RRs: 0
    Queries
        www.youtube.com: type A, class IN
    [Response In: 41]
AG111's avatar
1
AG111
asked 2021-03-16 17:10:17 +0000
grahamb's avatar
23.8k
grahamb
updated 2021-03-16 17:36:52 +0000
edit flag offensive 0 remove flag close merge delete

Comments

add a comment see more comments

1 Answer

0

You have to look at "payload" from a protocol perspective. So for instance an ethernet II frame has a header consisting of 6 bytes of destination mac-address, 6 bytes of source mac-address and 2 bytes of ethertype. Afther the header comes the payload (as seen from the ethernet perspective) and then comes the 4 bytes of FCS.

You can see it as an envelope, the contents of the envelope is the payload. It can be a letter or it can be just another (smaller) envelope.

So in case of a DNS frame, the IP datagram is the payload, seen from the Ethernet layer. It consists of the IP header and the payload from the IP perspective. In this case the payload from the IP perspective consists of the UDP header and the UDP payload. Then the UDP payload consists of the DNS "packet". As the DNS packet does not encapsulate another protocol, you can see this as the final letter inside the UDP envelope inside the IP envelope inside the Ethernet envelope.

SYN-bit's avatar
18.5k
SYN-bit
answered 2021-03-16 18:35:36 +0000
edit flag offensive 0 remove flag delete link
more

Comments

add a comment see more comments

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account. This space is reserved only for answers. If you would like to engage in a discussion, please instead post a comment under the question or an answer that you would like to discuss.

Add Answer