Home page logo
/

wireshark logo Wireshark mailing list archives

Re: How can a packet size be greater than the NIC's MTU?
From: Mohamed Lrhazi <lrhazi () gmail com>
Date: Wed, 4 Dec 2013 07:54:31 -0500

I am most grateful to all of you, thank you very much... this was driving
me nuts!

Mohamed.


On Wed, Dec 4, 2013 at 4:53 AM, Anders Broman <anders.broman () ericsson com>wrote:



-----Original Message-----
From: wireshark-users-bounces () wireshark org [mailto:
wireshark-users-bounces () wireshark org] On Behalf Of Guy Harris
Sent: den 4 december 2013 06:25
To: Community support list for Wireshark
Subject: Re: [Wireshark-users] How can a packet size be greater than the
NIC's MTU?


On Dec 3, 2013, at 6:30 PM, Mohamed Lrhazi <lrhazi () gmail com> wrote:

am debugging an issue which seems to be rooted at some MTU problem...
and I notice that a host, according to the pcaps I take, using tcpdump, on
redhat linux 6.x, the packet size is shown to be over 2500 >bytes, when the
MTU of the network interface is only 1500.... or is a "packet" as displayed
by wireshark or tcpdump, unrelated to the L2 frames?

It could conceivably be not directly related to the L2 frames.

If, for example, the network adapter is doing "large receive offload" or
"TCP segmentation offload", it might supply to the host packet that look
like TCP segments but are the result of combining multiple TCP >segments on
the network.

could there have been more frames for that one "packet"?

Yes.

How can I have "tcpdump -r" or wireshark, show me the exact frames, so
I can see their actual sizes?

By turning "large receive offload" and "TCP segmentation offload".

On Linux, you could do this with the ethtool command:

      http://www.linuxcommand.org/man_pages/ethtool8.html

I think you'd want to turn "tso" and "lro" (which that version of the man
page doesn't document) off.


Or, alternatively, plug a third machine into the network and passively
capture the traffic with that machine.

These links may be of interest
http://wiki.wireshark.org/CaptureSetup/Offloading?highlight=%28Offload%29

http://blog.securityonion.net/2011/10/when-is-full-packet-capture-not-full.html

Note that changing the parameters on the "production" interface is not
advisable as it might affect performance.

Regards
Anders

___________________________________________________________________________
Sent via:    Wireshark-users mailing list <wireshark-users () wireshark org>
Archives:    http://www.wireshark.org/lists/wireshark-users
Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
             mailto:wireshark-users-request () wireshark org
?subject=unsubscribe
___________________________________________________________________________
Sent via:    Wireshark-users mailing list <wireshark-users () wireshark org>
Archives:    http://www.wireshark.org/lists/wireshark-users
Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
             mailto:wireshark-users-request () wireshark org
?subject=unsubscribe

___________________________________________________________________________
Sent via:    Wireshark-users mailing list <wireshark-users () wireshark org>
Archives:    http://www.wireshark.org/lists/wireshark-users
Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
             mailto:wireshark-users-request () wireshark org?subject=unsubscribe

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]