I would like to see the "normal" behavior of TCP in wireshark, but I have discovered that (to save CPU) TCP sends large chunks of information to the NIC and the NIC actually performs the segmentation (based on MTU). From what I have read so far wireshark captures traffic data between TCP (the CPU) and the NIC, so the "normal" behavior of TCP is lost. Is there a way to force the segmentation of information to be done by TCP (old school) or perhaps to capture the packets in the NIC? I'm using Linux. asked 21 Jan '13, 16:00 clod1977 |
One Answer:
The best way to see packets as they are on the wire is to use a network TAP. Next best thing would be to use the span port of a managed switch. Have a look at my comment on your comment on http://ask.wireshark.org/questions/7659/tcp-packet-size for hints on how to disable TSO in linux. answered 21 Jan '13, 16:11 SYN-bit ♦♦ |
basically, any method where you capture the packets somewhere between client and server (and not on any of them) will do the trick...
I'm pretty sure Opnet's Ace analyst (now ATX) has the ability to recode it using MTU. You're kind of cheating since you don't see it on the wire, but when you're dealing with VMs and modern day servers, it does come in handy for quick troubleshooting. It would be like the anti-"allow subdissector to reassemble packets" feature! :)