Reputation: 501
Wireshark: what is the difference between "TCP payload" and "TCP segment data"?
I see in a Wireshark trace "TCP payload (1460 bytes)" and "TCP segment data (1398 bytes). (This is from the first TCP segment corresponding to a TLS "Server hello" and there are three other segments that follow this.)
My question is what is the difference between "TCP payload" and "TCP segment data".
Another related question is: "Server hello" is 4857 bytes, and broken into 4 TCP segments: 1398 bytes, 1460 bytes, 1460 bytes, and 539 bytes, totaling 4857 bytes. The MTU on the network interface appears to be 1500, so I was expecting to see segments of size 1460, 1460, 1460, and 477. How come it was broken into the former rather than latter?
Appreciate your help!
Upvotes: 2
Views: 8162
Answers (1)
Reputation: 501
I asked the question at the Wireshark forum and had the answer there: https://ask.wireshark.org/question/3498/what-is-the-difference-between-tcp-payload-and-tcp-segment-data/?answer=3512#post-id-3512
My comment about the first segment carrying 1398 bytes is incorrect. The first segment carries 1460 bytes just like the second one (and third one for that matter), but the first 62 bytes of the 1460 bytes of the first segment belong to "Server Hello" and the rest (1398) along with the payloads of the next three TCP segments belong to "Server Key Exchange" and "Server Hello Done".
The comment user2864740 made is a good one to note, though.
Upvotes: 3
Related Questions
- What is the difference between these 2 TCP packet captures? One doesn't work
- Get tcpstream - wireshark vs tshark
- What does "raw packet data" field mean in Wireshark?
- How to extract raw data from TCP packets using Wireshark
- What's [TCP ACKed unseen segment] & etc in Wireshark?
- About Wireshark and http/tcp stream
- what does this wireshark info refer to
- Wireshark Packets 'Data' Format
- TCP segments with HTTP data
- Data payload in a TCP ack