I appologize if this is not the correct place to post this question.. I am trying to understand the overhead with tcp and HTTP response that I see in the packet capture (wireshark)  which I am attaching to this thread.

My understanding is:

I can calculate the TCP data portion by subtracting the ip/tcp headers from the total length field in IP header. My confusion is when looking at the tcp data payload and then seeing the overhead that is specified in the HTTP response header/message body.  I see there is 1448 bytes that is the tcp data portion of the packet.

However, the HTTP response header is 347 bytes and the Content-Length of the entity message body is 3867 bytes. I am trying to wrap my head around how to determine the correct overhead for this specific packet. Normally this is very simple but its the HTTP rsponse header thats throwing me off.

Can anyone break this down and help me to understand how I can have 1448 for TCP data but greater values for the HTTP portion?