Home page logo
/

wireshark logo Wireshark mailing list archives

Re: How can a packet size be greater than the NIC's MTU?
From: Anders Broman <anders.broman () ericsson com>
Date: Wed, 4 Dec 2013 09:53:16 +0000



-----Original Message-----
From: wireshark-users-bounces () wireshark org [mailto:wireshark-users-bounces () wireshark org] On Behalf Of Guy Harris
Sent: den 4 december 2013 06:25
To: Community support list for Wireshark
Subject: Re: [Wireshark-users] How can a packet size be greater than the NIC's MTU?


On Dec 3, 2013, at 6:30 PM, Mohamed Lrhazi <lrhazi () gmail com> wrote:

am debugging an issue which seems to be rooted at some MTU problem... and I notice that a host, according to the 
pcaps I take, using tcpdump, on redhat linux 6.x, the packet size is shown to be over 2500 >bytes, when the MTU of 
the network interface is only 1500.... or is a "packet" as displayed by wireshark or tcpdump, unrelated to the L2 
frames?

It could conceivably be not directly related to the L2 frames.

If, for example, the network adapter is doing "large receive offload" or "TCP segmentation offload", it might supply 
to the host packet that look like TCP segments but are the result of combining multiple TCP >segments on the network.

could there have been more frames for that one "packet"?

Yes.

How can I have "tcpdump -r" or wireshark, show me the exact frames, so I can see their actual sizes?

By turning "large receive offload" and "TCP segmentation offload".

On Linux, you could do this with the ethtool command:

      http://www.linuxcommand.org/man_pages/ethtool8.html

I think you'd want to turn "tso" and "lro" (which that version of the man page doesn't document) off.


Or, alternatively, plug a third machine into the network and passively capture the traffic with that machine.

These links may be of interest
http://wiki.wireshark.org/CaptureSetup/Offloading?highlight=%28Offload%29
http://blog.securityonion.net/2011/10/when-is-full-packet-capture-not-full.html

Note that changing the parameters on the "production" interface is not advisable as it might affect performance.

Regards
Anders

___________________________________________________________________________
Sent via:    Wireshark-users mailing list <wireshark-users () wireshark org>
Archives:    http://www.wireshark.org/lists/wireshark-users
Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
             mailto:wireshark-users-request () wireshark org?subject=unsubscribe
___________________________________________________________________________
Sent via:    Wireshark-users mailing list <wireshark-users () wireshark org>
Archives:    http://www.wireshark.org/lists/wireshark-users
Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
             mailto:wireshark-users-request () wireshark org?subject=unsubscribe


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
AlienVault