Re: Odd behaviour under Linux 2.6.21

["Gianluca Varenni" <gianluca.varenni () cacetech com>]

I guess it's some sort of TCP offloading done at the board level. The driver 
sends big frames (>1500bytes) to the NIC card, and the NIC card is 
responsible from creating smaller segments that are sent over the wire. I've 
seen a similar behavior on Windows with some gigabit network cards (if i 
remember well at least with some broadcom chipsets).

In this case libpcap, like any other software capture engine, captures what 
is passed to the NIC, so it was capture the big frames instead of what's 
actually transmitted on the wire.

Hope it helps
GV

----- Original Message ----- 
From: "James Healy" <jhealy () swin edu au>
To: <tcpdump-workers () lists tcpdump org>
Cc: <lastewart () swin edu au>
Sent: Thursday, July 05, 2007 10:44 PM
Subject: Re: [tcpdump-workers] Odd behaviour under Linux 2.6.21


> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> James Healy wrote:
> > We've encountered some odd behaviour with tcpdump/libpcap under Linux
> > 2.6.21 (debian etch) and are hoping that others might be able to shed
> > some light on it for us.
>
> I've got some more information on this:
>
> I ran the same test under various Linux kernels (using standard Debian
> kernel packages), always with the same hardware setup and tcpdump 3.9.5
> / libpcap 0.9.5.
>
> The sending host was running Linux, and the receiving host FreeBSD 6.2.
> However we've seen the same behaviour on Linux to Linux transfers.
>
> The following list indicates the kernels under which I observed the odd
> behaviour:
>
> 2.6.12 - No
> 2.6.15 - No
> 2.6.16 - No
> 2.6.17 - Yes
> 2.6.18 - Yes
> 2.6.21 - Yes
>
> So, the next question is, what changed between kernels 2.6.16 and 2.6.17?
>
> James
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.7 (FreeBSD)
> Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
>
> iD8DBQFGjdah4oawkrbYo/kRAr2MAJ98qcROO8KDbzKsYIqb6V+E8CcsRgCfUfKx
> 4EeOoMV7KUY4D0zidNFyC78=
> =tG7y
> -----END PGP SIGNATURE-----
>
> Swinburne University of Technology
> CRICOS Provider Code: 00111D
>
> NOTICE
> This e-mail and any attachments are confidential and intended only for the 
> use of the addressee. They may contain information that is privileged or 
> protected by copyright. If you are not the intended recipient, any 
> dissemination, distribution, printing, copying or use is strictly 
> prohibited. The University does not warrant that this e-mail and any 
> attachments are secure and there is also a risk that it may be corrupted 
> in transmission. It is your responsibility to check any attachments for 
> viruses or defects before opening them. If you have received this 
> transmission in error, please contact us on +61 3 9214 8000 and delete it 
> immediately from your system. We do not accept liability in connection 
> with computer virus, data corruption, delay, interruption, unauthorised 
> access or unauthorised amendment.
>
> Please consider the environment before printing this email.
> -
> This is the tcpdump-workers list.
> Visit https://cod.sandelman.ca/ to unsubscribe. 

-
This is the tcpdump-workers list.
Visit https://cod.sandelman.ca/ to unsubscribe.