So I've read in a few places that Wireshark sits right between the protocol stack and the NIC capturing whatever the user want to capture and that it manages to get outgoing Ethernet frames by getting a copy from the NIC on transmission... Well, I'm all fine with that but I DO wonder one thing about this...
When having Large Send Offload (LSO), TCP hands big chunks of data for the NIC to segment and transmit. Now, if the NIC would really provide Wireshark with what it's actually transmitting, we would never see frames with these large data chunks from the TCP layer and we would rather see that data the way it looks like when it reaches the other end (1518 B. frames that is in my case).
Now, this equation doesn't work... either Wireshark is getting the data after the protocol stack and then recreates the soon to be Ethernet frame before the data moves on to the NIC or there's something else going on that I don't understand... What do you think?
asked 25 Sep '14, 07:14
Wireshark does not get a copy of the packet from the NIC. Winpcap (on Windows sytems) provides Wireshark with a copy of the packet that is being sent to the NIC. So if LSO is in use, and you are capturing on the sending host, Wireshark is seeing the oversize frames before the NIC segments them into proper sized frames for transmission on the network.
To see what is transmitted on the wire, capture from the wire, not from one of the endpoints involved in the communication.
answered 25 Sep '14, 08:56