Wireshark mailing list archives
wireshark sees jumbo TCP packets in linux
From: "Templin, Fred L" <Fred.L.Templin () boeing com>
Date: Tue, 26 Jun 2012 13:37:01 -0700
On recent linux distros (mine is Ubuntu 12.4 with 3.2.0-23 kernel), wireshark captures of an sftp large file transfer showed jumbo-sized TCP packets significantly larger than 1500 bytes. This is on a linux laptop with a 1500 MTU Ethernet, so it could not possibly reflect what actually goes out on the wire. If you do the wireshark capture on the large file sender, you see outbound packets as large as 64K. If you do the wireshark capture on the large file receiver, you see inbound packets anywhere from ~2KB - ~16KB. The source of the confusion turned out to be linux performance enhancements called Generic Segment Offload (GSO), Genereic Reassembly Offload (GRO) and TCP Segment Offload (TSO). These functions push the TCP segmentation/reassembly function down to the network layer driver code and somehow circumvent the packet capture hooks which should be showing the actual packets that go out on the wire instead of the jumbos. To turn these functions off, type: # ethtool --offload eth0 gso off # ethtool --offload eth0 tso off # ethtool --offload eth0 gro off You should now see wireshark picking up packets that are no larger than the actual network interface MTU, i.e., the actual packets that go out on the wire. Have others seen this? Is there a better workaround than what I described above? Thanks - Fred ___________________________________________________________________________ Sent via: Wireshark-users mailing list <wireshark-users () wireshark org> Archives: http://www.wireshark.org/lists/wireshark-users Unsubscribe: https://wireshark.org/mailman/options/wireshark-users mailto:wireshark-users-request () wireshark org?subject=unsubscribe
Current thread:
- wireshark sees jumbo TCP packets in linux Templin, Fred L (Jun 26)
- Re: wireshark sees jumbo TCP packets in linux Jeff Morriss (Jun 26)
- Message not available
- Re: wireshark sees jumbo TCP packets in linux Jim Aragon (Jun 26)
- Re: wireshark sees jumbo TCP packets in linux Templin, Fred L (Jun 27)
- Re: wireshark sees jumbo TCP packets in linux Jim Aragon (Jun 26)