Home page logo

wireshark logo Wireshark mailing list archives

Re: How can a packet size be greater than the NIC's MTU?
From: Guy Harris <guy () alum mit edu>
Date: Tue, 3 Dec 2013 21:25:19 -0800

On Dec 3, 2013, at 6:30 PM, Mohamed Lrhazi <lrhazi () gmail com> wrote:

am debugging an issue which seems to be rooted at some MTU problem... and I notice that a host, according to the 
pcaps I take, using tcpdump, on redhat linux 6.x, the packet size is shown to be over 2500 bytes, when the MTU of the 
network interface is only 1500.... or is a "packet" as displayed by wireshark or tcpdump, unrelated to the L2 frames?

It could conceivably be not directly related to the L2 frames.

If, for example, the network adapter is doing "large receive offload" or "TCP segmentation offload", it might supply to 
the host packet that look like TCP segments but are the result of combining multiple TCP segments on the network.

could there have been more frames for that one "packet"?


How can I have "tcpdump -r" or wireshark, show me the exact frames, so I can see their actual sizes?

By turning "large receive offload" and "TCP segmentation offload".

On Linux, you could do this with the ethtool command:


I think you'd want to turn "tso" and "lro" (which that version of the man page doesn't document) off.

Or, alternatively, plug a third machine into the network and passively capture the traffic with that machine.
Sent via:    Wireshark-users mailing list <wireshark-users () wireshark org>
Archives:    http://www.wireshark.org/lists/wireshark-users
Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
             mailto:wireshark-users-request () wireshark org?subject=unsubscribe

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]