Home page logo
/

wireshark logo Wireshark mailing list archives

Re: How can a packet size be greater than the NIC's MTU?
From: Mohamed Lrhazi <lrhazi () gmail com>
Date: Tue, 3 Dec 2013 23:16:25 -0500

I was not expecting this somehow... When I view a pcap, in wireshark, or
with "tcpdump -r"... each packet has an Ethernet header section, I just
always assumed each such packet is one, and only one, Ethernet frame.....

So, is there way to capture, or view in already captured pcap file, each
frame that a packet was made up of?

Thanks a lot,
Mohamed.





On Tue, Dec 3, 2013 at 10:55 PM, Aaron Wasserott <
aaron.wasserott () viawest com> wrote:

The IP packet size can be much larger than the MTU of an Ethernet frame,
which is what the MTU refers to.



*From:* wireshark-users-bounces () wireshark org [mailto:
wireshark-users-bounces () wireshark org] *On Behalf Of *Mohamed Lrhazi
*Sent:* Tuesday, December 03, 2013 7:30 PM
*To:* wireshark-users () wireshark org
*Subject:* [Wireshark-users] How can a packet size be greater than the
NIC's MTU?



I guess the subject line is all I need to say :)



am debugging an issue which seems to be rooted at some MTU problem... and
I notice that a host, according to the pcaps I take, using tcpdump, on
redhat linux 6.x, the packet size is shown to be over 2500 bytes, when the
MTU of the network interface is only 1500.... or is a "packet" as displayed
by wireshark or tcpdump, unrelated to the L2 frames? could there have been
more frames for that one "packet"? How can I have "tcpdump -r" or
wireshark, show me the exact frames, so I can see their actual sizes?



Example, notice the packet with a "tcp size" of 2896, "IP size" is 2948.



➜  tmp  tcpdump  -qnr ubuntu-1.mtu1500.pcap

reading from file ubuntu-1.mtu1500.pcap, link-type EN10MB (Ethernet)

18:09:07.874894 IP 192.168.77.204.55992 > 192.168.77.201.80: tcp 0

18:09:07.874990 IP 192.168.77.201.80 > 192.168.77.204.55992: tcp 0

18:09:07.878527 IP 192.168.77.204.55992 > 192.168.77.201.80: tcp 0

18:09:07.878819 IP 192.168.77.204.55992 > 192.168.77.201.80: tcp 85

18:09:07.878842 IP 192.168.77.201.80 > 192.168.77.204.55992: tcp 0

18:09:07.879982 IP 192.168.77.201.80 > 192.168.77.204.55992: tcp 17

18:09:07.880299 IP 192.168.77.201.80 > 192.168.77.204.55992: tcp 2896

18:09:07.880506 IP 192.168.77.201.80 > 192.168.77.204.55992: tcp 395

18:09:07.882022 IP 192.168.77.204.55992 > 192.168.77.201.80: tcp 0

18:09:07.882048 IP 192.168.77.204.55992 > 192.168.77.201.80: tcp 0

18:09:07.883506 IP 192.168.77.201.80 > 192.168.77.204.55992: tcp 1448

18:09:07.883523 IP 192.168.77.201.80 > 192.168.77.204.55992: tcp 1448

18:09:08.087483 IP 192.168.77.201.80 > 192.168.77.204.55992: tcp 1448

18:09:08.495509 IP 192.168.77.201.80 > 192.168.77.204.55992: tcp 1448

18:09:09.311515 IP 192.168.77.201.80 > 192.168.77.204.55992: tcp 1448

18:09:10.947503 IP 192.168.77.201.80 > 192.168.77.204.55992: tcp 1448

18:09:14.223563 IP 192.168.77.201.80 > 192.168.77.204.55992: tcp 1448

18:09:16.463307 IP 192.168.77.204.55992 > 192.168.77.201.80: tcp 0

18:09:16.463353 IP 192.168.77.201.80 > 192.168.77.204.55992: tcp 0

➜  tmp







Thanks a lot,

Mohamed.



___________________________________________________________________________
Sent via:    Wireshark-users mailing list <wireshark-users () wireshark org>
Archives:    http://www.wireshark.org/lists/wireshark-users
Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
             mailto:wireshark-users-request () wireshark org
?subject=unsubscribe

___________________________________________________________________________
Sent via:    Wireshark-users mailing list <wireshark-users () wireshark org>
Archives:    http://www.wireshark.org/lists/wireshark-users
Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
             mailto:wireshark-users-request () wireshark org?subject=unsubscribe

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
AlienVault