Re: wireshark sees jumbo TCP packets in linux

["Templin, Fred L" <Fred.L.Templin () boeing com>]

Hi Jim,

> Why not simply capture from the wire to see what is actually

> transmitted on the wire, and leave the performance enhancements

> on? Capturing from the wire--that is, from a third system that

> is not one of the endpoints involved in the communication-is

> considered by many to be a best practice in network analysis.



Right; I tried that too and the third system was also using

GRO and sent up jumbo packets. So a minimal fix is to set

up an intermediate promiscuous mode listener and then disable

GRO on that one.



Fred


From: wireshark-users-bounces () wireshark org [mailto:wireshark-users-bounces () wireshark org] On Behalf Of Jim Aragon
Sent: Tuesday, June 26, 2012 9:40 PM
To: Community support list for Wireshark
Subject: Re: [Wireshark-users] wireshark sees jumbo TCP packets in linux

At 01:37 PM 6/26/2012, Fred Templin wrote:

> The source of the confusion turned out to be linux performance
> enhancements called Generic Segment Offload (GSO), Genereic
> Reassembly Offload (GRO) and TCP Segment Offload (TSO). These
> functions push the TCP segmentation/reassembly function down to
> the network layer driver code and somehow circumvent the packet
> capture hooks which should be showing the actual packets that
> go out on the wire instead of the jumbos.
>
> To turn these functions off, type:
>
> # ethtool --offload eth0 gso off
> # ethtool --offload eth0 tso off
> # ethtool --offload eth0 gro off
>
> You should now see wireshark picking up packets that are no
> larger than the actual network interface MTU, i.e., the
> actual packets that go out on the wire.
>
> Have others seen this? Is there a better workaround than
> what I described above?

Yes, this is the best workaround if what you are trying to do is to make the packets that Wireshark sees the same size 
as the packets that are transmitted on the wire. However, as you note above, these are performance enhancements. By 
turning them off, you lose the performance benefits.

Why not simply capture from the wire to see what is actually transmitted on the wire, and leave the performance 
enhancements on? Capturing from the wire--that is, from a third system that is not one of the endpoints involved in the 
communication--is considered by many to be a best practice in network analysis.

Jim

___________________________________________________________________________
Sent via:    Wireshark-users mailing list <wireshark-users () wireshark org>
Archives:    http://www.wireshark.org/lists/wireshark-users
Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
             mailto:wireshark-users-request () wireshark org?subject=unsubscribe