Wireshark-users: Re: [Wireshark-users] How can a packet size be greater than the NIC's MTU?
From: Mohamed Lrhazi <lrhazi@xxxxxxxxx>
Date: Wed, 4 Dec 2013 07:54:31 -0500
I am most grateful to all of you, thank you very much... this was driving me nuts!

Mohamed.


On Wed, Dec 4, 2013 at 4:53 AM, Anders Broman <anders.broman@xxxxxxxxxxxx> wrote:


-----Original Message-----
From: wireshark-users-bounces@xxxxxxxxxxxxx [mailto:wireshark-users-bounces@xxxxxxxxxxxxx] On Behalf Of Guy Harris
Sent: den 4 december 2013 06:25
To: Community support list for Wireshark
Subject: Re: [Wireshark-users] How can a packet size be greater than the NIC's MTU?


On Dec 3, 2013, at 6:30 PM, Mohamed Lrhazi <lrhazi@xxxxxxxxx> wrote:

>> am debugging an issue which seems to be rooted at some MTU problem... and I notice that a host, according to the pcaps I take, using tcpdump, on redhat linux 6.x, the packet size is shown to be over 2500 >bytes, when the MTU of the network interface is only 1500.... or is a "packet" as displayed by wireshark or tcpdump, unrelated to the L2 frames?
>
>It could conceivably be not directly related to the L2 frames.
>
>If, for example, the network adapter is doing "large receive offload" or "TCP segmentation offload", it might supply to the host packet that look like TCP segments but are the result of combining multiple TCP >segments on the network.
>
>> could there have been more frames for that one "packet"?

>Yes.

>> How can I have "tcpdump -r" or wireshark, show me the exact frames, so I can see their actual sizes?
>
>By turning "large receive offload" and "TCP segmentation offload".
>
>On Linux, you could do this with the ethtool command:
>
>       http://www.linuxcommand.org/man_pages/ethtool8.html
>
>I think you'd want to turn "tso" and "lro" (which that version of the man page doesn't document) off.
>
>
>Or, alternatively, plug a third machine into the network and passively capture the traffic with that machine.

These links may be of interest
http://wiki.wireshark.org/CaptureSetup/Offloading?highlight=%28Offload%29
http://blog.securityonion.net/2011/10/when-is-full-packet-capture-not-full.html

Note that changing the parameters on the "production" interface is not advisable as it might affect performance.

Regards
Anders

___________________________________________________________________________
Sent via:    Wireshark-users mailing list <wireshark-users@xxxxxxxxxxxxx>
Archives:    http://www.wireshark.org/lists/wireshark-users
Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
             mailto:wireshark-users-request@xxxxxxxxxxxxx?subject=unsubscribe
___________________________________________________________________________
Sent via:    Wireshark-users mailing list <wireshark-users@xxxxxxxxxxxxx>
Archives:    http://www.wireshark.org/lists/wireshark-users
Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
             mailto:wireshark-users-request@xxxxxxxxxxxxx?subject=unsubscribe