I am a newbie with TCP, MTU (which I have to play around with) and Wireshark. I sent some data that was over 100k over tcp and used Wireshark to view and confirm the data that I sent. I assume each Wireshark frame corresponds to a TCP segment, am I correct? I noticed the length of some of the frames were 1514, which looked correct, because MTU was 1500 plus some bytes for headers. However, some of the frame lengths were much higher, such as 5xxx, 1xxxx. Why was that the case..? I thought all the frames (the ones about data sent from my machine to the remote server) would be 1514.
I also added the column "Packet Length" and thought maybe that column would report TCP segment size and I noticed the numbers in that column were the same as the numbers in the column "Length". What's the difference between "Packet Length" and "Length"?
asked 14 Sep '13, 19:23
Probably you captured on the host that transmitted the oversized packet, and TCP Large Segment Offload is enabled. (Sometimes abbreviated TSO and sometimes LSO.) The operating system is passing packets larger than MTU to the network adapter, and the network adapter driver is breaking them up so that they fit within the MTU. If you capture from the wire, instead of from an endpoint involved in the communication, you will see that the packets are correctly sized when they are transmitted. This is one reason of several to capture from the wire, instead of on an endpoint.
TSO is a performance enhancement, but you can turn it off, in which case, the OS will no longer generate oversized frames.
To show the size of the TCP segment, add a custom column using the field "tcp.len".
answered 14 Sep '13, 21:52