First time here? Check out the FAQ!
THIS IS A TEST INSTANCE. Feel free to ask and answer questions, but take care to avoid triggering too many notifications.
Ask Your Question
0

How to calculate the TLS payload?

Hello,

I am pretty new to Wireshark and trying to understand some basic concepts and terminology. I am analyzing a TCP dump file which contains traffic between an embedded device to remote server. I want to calculate the TLS/TCP payload size in this. As per my understanding, the "Conversations" tab shows the total bytes used that includes MAC, TCP and IP header. Now when I check the "Follow TCP Stream", the byte value shown for the "Entire Conversation" is lesser than "Conversations". I came across a similar post here https://osqa-ask.wireshark.org/questions/35922/how-is-the-of-bytes-calculated-for-entire-conversation-of-follow-tcp-stream/. In that it is mentioned to add a "tcp.len field as a custom column" to show the length of the TCP data segment. In my case the difference between "Length" column and "tcp.len" is always 66. But I am not sure how this value is calculated. Also, is the bytes shown in "Follow TCP Stream" the actual payload size? In the end I want to know the bytes consumed by TLS/TCP payload and headers.

Thanks in advance.

s.user's avatar
1
s.user
asked 2023-06-07 11:47:58 +0000
edit flag offensive 0 remove flag close merge delete

Comments

add a comment see more comments

1 Answer

0

tcp.len is the size of the TCP data c.q. payload. The length of the frame minus tcp.len gives you the TCP header size plus the size of the underlying protocols (IP, Ethernet). So that is the size of the protocol overhead.
For TCP, TLS is just payload.

The payload of TLS is send in "Application Data" records (tls.record.content_type == 23). The size is available as tls.record.length and is the TLS payload plus MAC (Message Authentication Code). The size of the MAC depends on the hash used. For example 32 bytes for SHA256. So the TLS payload size is tls.record.length minus MAC length.

André's avatar
176
André
answered 2023-06-08 21:01:10 +0000
edit flag offensive 0 remove flag delete link
more

Comments

add a comment see more comments

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account. This space is reserved only for answers. If you would like to engage in a discussion, please instead post a comment under the question or an answer that you would like to discuss.

Add Answer