Wireshark: App Data Size

TL;DR

This guide shows you how to calculate the size of application data within Wireshark captures, helping you understand network traffic and identify potential issues.

Calculating Application Data Size in Wireshark

1. Open Your Capture File: Start Wireshark and open the .pcap or .pcapng file containing your network capture.
2. Apply a Display Filter (Optional): If you’re interested in specific traffic, use a display filter to narrow down the packets. For example, to see only HTTP traffic:

   http

   Or for TCP port 80:

   tcp.port == 80

3. Select Packets: Choose the packets you want to analyse. You can click on individual packets or use filters to select a range.
4. View Packet Details: Double-click a selected packet to open its details pane. Expand the relevant protocol layers (e.g., HTTP, TCP).
5. Find the Application Data Layer: The location of application data varies depending on the protocol:
   • HTTP: Look for “Data” within the HTTP section.
   • TCP: Expand the TCP layer and find “Payload”.
   • UDP: Expand the UDP layer and find “Payload”.
   • TLS/SSL: The application data is often hidden inside encrypted layers; you may need to decrypt the capture first (see step 8).
6. Check Packet Summary for Length: Wireshark usually displays the total packet length in the summary column. This includes headers, but it’s a starting point.
7. Calculate Application Data Size (Method 1 – Using Packet Details):
   • Note the total packet size from the summary column.
   • Add up the sizes of all the header layers *above* the application data layer. For example, for TCP:

     Total Packet Size - (IP Header Size + TCP Header Size) = Application Data Size

     Typical IP header size is 20 bytes and TCP header size is 20-60 bytes depending on options.

8. Calculate Application Data Size (Method 2 – Using Expert Info): Wireshark’s expert info can sometimes provide the application data length directly. Go to “Analyse” -> “Expert Info”. Search for entries related to packet lengths or payload sizes.
9. Decrypt TLS/SSL Captures: If you are analysing encrypted traffic (TLS/SSL), you need to decrypt it:
   • Go to “Edit” -> “Preferences” -> “Protocols” -> “SSL”.
   • Add the private key file or session keys used for encryption.
   • Restart Wireshark and re-open the capture.
   • Once decrypted, you can find application data within the TLS/SSL section as described in step 6.
10. Statistics (Optional): For a broader view of traffic sizes:
    • Go to “Statistics” -> “Protocol Hierarchy”. This shows the breakdown of packets by protocol and their average size.
    • Go to “Statistics” -> “Conversations” to see data exchanged between specific endpoints.