This is due to Jumbo Frames or Large Send Offload being enabled in your NIC properties. Depending on which one of those is used the actual frame size sent on the wire could be the size you are seeing there (Jumbo Frames) or the NIC could have broken the frame size up before sending it down the wire (Large Send Offload). In either case the frame will usually be divided into smaller frames once it hits a router. The only real way to determine one way or the other is to sniff the packets on the wire right after they leave the machine in question.
> Date: Sat, 9 Oct 2010 16:13:34 +0200 > From: markryde@xxxxxxxxx > To: wireshark-users@xxxxxxxxxxxxx > Subject: [Wireshark-users] Bytes on wire/bytes captured for TCP traffic is larger than MTU > > Hello, > > I am sniffing with wireshark TCP iperf traffic on a machine where the > NIC has an ordinary NIC. > The MTU of the NIC on the client and the server is the default value (1500). > > I see in the sniff that some of the frames have (2962 bytes on > wire,2962 bytes captured) > and also that the ip header Total length is 2948. My question is: how can it be > that I am getting size of a packet which is almost twice the size of MTU ? > AFAIK, you cannot receive/send packets larger than the MTU without > fragmentation, > and what I see does not show fragmentation. > > Rgs, > Mark Ryden > ___________________________________________________________________________ > Sent via: Wireshark-users mailing list <wireshark-users@xxxxxxxxxxxxx> > Archives: http://www.wireshark.org/lists/wireshark-users > Unsubscribe: https://wireshark.org/mailman/options/wireshark-users > mailto:wireshark-users-request@xxxxxxxxxxxxx?subject=unsubscribe
|