Explanation From HCIA-Security documents:

In ESP transport mode, the authentication function provides data integrity and origin authentication for specific parts of the IP packet. The authentication calculation covers the ESP header, TCP/UDP header, user data, and ESP tail (including padding, Pad Length, and Next Header fields) . However, it does not include the outer IP header, because some IP header fields (such as TTL) may change during packet forwarding. It also does not include the ESP Authentication Data field itself, since that field stores the integrity check value result of the calculation.

In the diagram, range 3 correctly represents the portion starting from the ESP header up to the ESP tail, excluding the IP header and excluding the ESP Authentication Data field.

Range 1 only covers part of the payload, range 2 does not include the ESP header, and range 4 incorrectly includes the IP header. Therefore, option 3 accurately describes the authentication scope of ESP in transport mode.