cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1888
Views
0
Helpful
3
Replies
Highlighted
Beginner

TCP / HTTP overhead

I appologize if this is not the correct place to post this question.. I am trying to understand the overhead with tcp and HTTP response that I see in the packet capture (wireshark)  which I am attaching to this thread.

My understanding is:

I can calculate the TCP data portion by subtracting the ip/tcp headers from the total length field in IP header. My confusion is when looking at the tcp data payload and then seeing the overhead that is specified in the HTTP response header/message body.  I see there is 1448 bytes that is the tcp data portion of the packet.

However, the HTTP response header is 347 bytes and the Content-Length of the entity message body is 3867 bytes. I am trying to wrap my head around how to determine the correct overhead for this specific packet. Normally this is very simple but its the HTTP rsponse header thats throwing me off.

Can anyone break this down and help me to understand how I can have 1448 for TCP data but greater values for the HTTP portion?

Everyone's tags (4)
1 ACCEPTED SOLUTION

Accepted Solutions
Highlighted
Hall of Fame Master

Re: TCP / HTTP overhead

Because the HTTP message is fragmented.

You can seen the reassembled message somdwhere in following Wireshark screen.

View solution in original post

3 REPLIES 3
Highlighted
Hall of Fame Master

Re: TCP / HTTP overhead

Because the HTTP message is fragmented.

You can seen the reassembled message somdwhere in following Wireshark screen.

View solution in original post

Highlighted
Beginner

Re: TCP / HTTP overhead

So as I am thinking on this, after the first post..... The remaining  would be the initial segment ( not really fragment ) of the response  message..I think   I was overcomplicating this when it is very simple...

Thanks for clarification.

Highlighted
Hall of Fame Master

Re: TCP / HTTP overhead

You're welcome, thank you for the nice rating and good luck!