Re: How can a packet size be greater than the NIC's MTU?

[Mohamed Lrhazi <lrhazi () gmail com>]

I am most grateful to all of you, thank you very much... this was driving
me nuts!

Mohamed.


On Wed, Dec 4, 2013 at 4:53 AM, Anders Broman <anders.broman () ericsson com>wrote:

> -----Original Message-----
> From: wireshark-users-bounces () wireshark org [mailto:
> wireshark-users-bounces () wireshark org] On Behalf Of Guy Harris
> Sent: den 4 december 2013 06:25
> To: Community support list for Wireshark
> Subject: Re: [Wireshark-users] How can a packet size be greater than the
> NIC's MTU?
>
>
> On Dec 3, 2013, at 6:30 PM, Mohamed Lrhazi <lrhazi () gmail com> wrote:
>
> > > am debugging an issue which seems to be rooted at some MTU problem...
> and I notice that a host, according to the pcaps I take, using tcpdump, on
> redhat linux 6.x, the packet size is shown to be over 2500 >bytes, when the
> MTU of the network interface is only 1500.... or is a "packet" as displayed
> by wireshark or tcpdump, unrelated to the L2 frames?
> > It could conceivably be not directly related to the L2 frames.
> >
> > If, for example, the network adapter is doing "large receive offload" or
> "TCP segmentation offload", it might supply to the host packet that look
> like TCP segments but are the result of combining multiple TCP >segments on
> the network.
> > > could there have been more frames for that one "packet"?
>
> > Yes.
>
> > > How can I have "tcpdump -r" or wireshark, show me the exact frames, so
> I can see their actual sizes?
> > By turning "large receive offload" and "TCP segmentation offload".
> >
> > On Linux, you could do this with the ethtool command:
> >
> >       http://www.linuxcommand.org/man_pages/ethtool8.html
> >
> > I think you'd want to turn "tso" and "lro" (which that version of the man
> page doesn't document) off.
> > Or, alternatively, plug a third machine into the network and passively
> capture the traffic with that machine.
>
> These links may be of interest
> http://wiki.wireshark.org/CaptureSetup/Offloading?highlight=%28Offload%29
>
> http://blog.securityonion.net/2011/10/when-is-full-packet-capture-not-full.html
>
> Note that changing the parameters on the "production" interface is not
> advisable as it might affect performance.
>
> Regards
> Anders
>
> ___________________________________________________________________________
> Sent via:    Wireshark-users mailing list <wireshark-users () wireshark org>
> Archives:    http://www.wireshark.org/lists/wireshark-users
> Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
>              mailto:wireshark-users-request () wireshark org
> ?subject=unsubscribe
> ___________________________________________________________________________
> Sent via:    Wireshark-users mailing list <wireshark-users () wireshark org>
> Archives:    http://www.wireshark.org/lists/wireshark-users
> Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
>              mailto:wireshark-users-request () wireshark org
> ?subject=unsubscribe
___________________________________________________________________________
Sent via:    Wireshark-users mailing list <wireshark-users () wireshark org>
Archives:    http://www.wireshark.org/lists/wireshark-users
Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
             mailto:wireshark-users-request () wireshark org?subject=unsubscribe