Wireshark-users: Re: [Wireshark-users] How can a packet size be greater than the NIC's MTU?
From: Guy Harris <guy@xxxxxxxxxxxx>
Date: Tue, 3 Dec 2013 21:25:19 -0800
On Dec 3, 2013, at 6:30 PM, Mohamed Lrhazi <lrhazi@xxxxxxxxx> wrote:

> am debugging an issue which seems to be rooted at some MTU problem... and I notice that a host, according to the pcaps I take, using tcpdump, on redhat linux 6.x, the packet size is shown to be over 2500 bytes, when the MTU of the network interface is only 1500.... or is a "packet" as displayed by wireshark or tcpdump, unrelated to the L2 frames?

It could conceivably be not directly related to the L2 frames.

If, for example, the network adapter is doing "large receive offload" or "TCP segmentation offload", it might supply to the host packet that look like TCP segments but are the result of combining multiple TCP segments on the network.

> could there have been more frames for that one "packet"?

Yes.

> How can I have "tcpdump -r" or wireshark, show me the exact frames, so I can see their actual sizes?

By turning "large receive offload" and "TCP segmentation offload".

On Linux, you could do this with the ethtool command:

	http://www.linuxcommand.org/man_pages/ethtool8.html

I think you'd want to turn "tso" and "lro" (which that version of the man page doesn't document) off.

Or, alternatively, plug a third machine into the network and passively capture the traffic with that machine.