diff --git a/src/sniffer.c b/src/sniffer.c
index 2a72d30cb..20a342036 100644
--- a/src/sniffer.c
+++ b/src/sniffer.c
@@ -3052,7 +3052,9 @@ static int CheckHeaders(IpInfo* ipInfo, TcpInfo* tcpInfo, const byte* packet,
         SetError(PACKET_HDR_SHORT_STR, error, NULL, 0);
         return -1;
     }
-    *sslBytes = (int)(packet + length - *sslFrame);
+    /* We only care about the data in the TCP/IP record. There may be extra
+     * data after the IP record for the FCS for Ethernet. */
+    *sslBytes = (int)(packet + ipInfo->total - *sslFrame);
 
     return 0;
 }
@@ -4069,7 +4071,7 @@ static int ssl_DecodePacketInternal(const byte* packet, int length,
     TcpInfo           tcpInfo;
     IpInfo            ipInfo;
     const byte*       sslFrame;
-    const byte*       end = packet + length;
+    const byte*       end;
     int               sslBytes;                /* ssl bytes unconsumed */
     int               ret;
     SnifferSession*   session = 0;
@@ -4090,6 +4092,8 @@ static int ssl_DecodePacketInternal(const byte* packet, int length,
                      error) != 0)
         return -1;
 
+    end = sslFrame + sslBytes;
+
     ret = CheckSession(&ipInfo, &tcpInfo, sslBytes, &session, error);
     if (RemoveFatalSession(&ipInfo, &tcpInfo, session, error)) return -1;
     else if (ret == -1) return -1;