This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

tcp.length 1460 for downloads

0

If the TCP length is always set to 1460 for a file tranfer download, but it's up to 10 times that amount for the same file uploaded, what could be a contributing factor?

asked 09 Apr '12, 12:35

dij's gravatar image

dij
5113
accept rate: 0%


One Answer:

3

It's probably because you're capturing on the uploading PC, and that PC uses LSO (Large Send Offloading) to have the network interface card handle the segmentation into 1460 byte segments. Wireshark captures the packet before it is sliced into the real segments - this is one of the side effects you need to cope with if you're not using a 3rd PC to capture the traffic between two nodes.

Incoming packets (your "download") are already segmented by the other node, so they're correct.

answered 09 Apr '12, 13:00

Jasper's gravatar image

Jasper ♦♦
23.8k551284
accept rate: 18%

Incoming packets (your "download") are already segmented by the other node, so they're correct.

(Unless they're getting reassembled by the network adapter and handed to the host as a larger-than-segment-size chunk. This might not be happening with the adapter dij's using, but it might happen with other adapters.)

(09 Apr '12, 23:35) Guy Harris ♦♦

I know; I just decided to not further confuse dij for the moment by adding more complexity to the explanation :-)

(10 Apr '12, 00:43) Jasper ♦♦

thank you very much!

(10 Apr '12, 06:58) dij