Use non-header-including byte size field for tcp connections

[lisaSW]

Currently, the usage of orig_bytes/resp_bytes and orig_ip_bytes/resp_ip_bytes throughout the code is inconsistent. There is also a problem with beacon scores being skewed by variation in the header size of its connections

• [x] make usage of fields consistent
• [x] use orig_bytes/resp_bytes (header-excluding) for tcp connections, and orig_ip_bytes/resp_ip_bytes for all others