This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

The win7 environment that packet is greater than the maximum Ethernet size

0

During the data analysis process, the client packet greater than the size of the Ethernet standard. Can help explain why. https://www.cloudshark.org/captures/8e164cd10b06 thank you.

asked 15 Apr '13, 04:39

mengsunny's gravatar image

mengsunny
11446
accept rate: 0%


One Answer:

1

You captured on the PC with the IP address 21.235.28.153, which had "TCP large send offloading" activated in the network card driver. That means that the CPU will push large chunks of data to the network card, where it will be segmented into valid sizes - but that only happens after Wireshark already recording it.

Capture on the other system to see that valid packets arrive, or turn of network card acceleration settings like Large Send Offload and CRC calculation (which means slowing down your PC, which is usually not a good idea).

answered 15 Apr '13, 04:46

Jasper's gravatar image

Jasper ♦♦
23.8k551284
accept rate: 18%

Adjust the MTU value of the client, the problem has been resolved, but the large size of the package still exists, but does not need to be fragmented. Can you help explain why? https://www.cloudshark.org/captures/ba5845e9e8c7

(15 Apr '13, 04:53) mengsunny

This has nothing to do with MTU. This is TCP segmentation, so on a totally different layer.

(15 Apr '13, 04:55) Jasper ♦♦
1

I.e., if you want to see the packets as they appear on the network, rather than as they are supplied to Wireshark by the system on which you're running Wireshark, you would either need to capture on another machine (so that you see packets captured from the wire rather than packets wrapped around to Wireshark in software) or turn off the TCP segmentation offload (so that the packets that get wrapped around to Wireshark in software look more like packets as they'll be transmitted on the wire).

Nothing you did with the MTU would have any effect on that.

(15 Apr '13, 15:18) Guy Harris ♦♦

Capturing packets do not see this on the server side. Thank you very much help.

(15 Apr '13, 19:22) mengsunny