Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2751
Views
0
Helpful
3
Replies

TCP / HTTP overhead

Go to solution
andytech1
Level 1
Level 1

‎08-11-2012 03:10 PM - edited ‎03-03-2019 06:43 AM

I appologize if this is not the correct place to post this question.. I am trying to understand the overhead with tcp and HTTP response that I see in the packet capture (wireshark)  which I am attaching to this thread.

My understanding is:

I can calculate the TCP data portion by subtracting the ip/tcp headers from the total length field in IP header. My confusion is when looking at the tcp data payload and then seeing the overhead that is specified in the HTTP response header/message body.  I see there is 1448 bytes that is the tcp data portion of the packet.

However, the HTTP response header is 347 bytes and the Content-Length of the entity message body is 3867 bytes. I am trying to wrap my head around how to determine the correct overhead for this specific packet. Normally this is very simple but its the HTTP rsponse header thats throwing me off.

Can anyone break this down and help me to understand how I can have 1448 for TCP data but greater values for the HTTP portion?

Labels:
Preview file
191 KB
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
paolo bevilacqua
Hall of Fame
Hall of Fame

‎08-11-2012 03:41 PM

Because the HTTP message is fragmented.

You can seen the reassembled message somdwhere in following Wireshark screen.

View solution in original post

0 Helpful
3 Replies 3

Go to solution
paolo bevilacqua
Hall of Fame
Hall of Fame

‎08-11-2012 03:41 PM

Because the HTTP message is fragmented.

You can seen the reassembled message somdwhere in following Wireshark screen.

0 Helpful

Go to solution
andytech1
Level 1
Level 1
In response to paolo bevilacqua

‎08-11-2012 04:08 PM

So as I am thinking on this, after the first post..... The remaining  would be the initial segment ( not really fragment ) of the response  message..I think   I was overcomplicating this when it is very simple...

Thanks for clarification.

0 Helpful

Go to solution
paolo bevilacqua
Hall of Fame
Hall of Fame
In response to andytech1

‎08-11-2012 04:25 PM

You're welcome, thank you for the nice rating and good luck!

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents