Extracting Packet payload length

Question

I captured some Internet packets via Wireshark, now i want to extract the payload length only from the total length of the packet Using PYTHON. I can get the full length of the packet using pkt.length or pkt.captured_length. But i didn't find any command for extracting only payload size.

Answer 1

Payload size must be calculated based on the embedded protocol headers and lengths. For example, the IP total length (which is most likely what you are seeing as "packet length") is the length of the entire IP datagram, including IP header, embedded protocol headers, and data. To find the payload length you must, just as an IP stack would:

• determine the length of the IP header (likely 20, but it can have options) by multiplying the low order nibble of the first byte by 4.
• Determine the embedded protocol header based on the value of the 9th byte in the IP header
• Determine the header length of the embedded protocol header; for instance, if this is TCP, multiplying the high order nibble of the twelfth byte by 4 to determine the total header length of the TCP header including options.

If you add up these values, you can then subtract them from the IP total length (packet length) to determine the payload length.

Of course, from an IP point of view, you could just subtract the length of the IP header from the total length; from IP's point of view, everything inside of it is just payload. :)