This is a static archive of our old Q&A Site. Please post any new questions and answers at

Confusion about when Wireshark actually captures a frame in connection to LSO


So I've read in a few places that Wireshark sits right between the protocol stack and the NIC capturing whatever the user want to capture and that it manages to get outgoing Ethernet frames by getting a copy from the NIC on transmission... Well, I'm all fine with that but I DO wonder one thing about this...

When having Large Send Offload (LSO), TCP hands big chunks of data for the NIC to segment and transmit. Now, if the NIC would really provide Wireshark with what it's actually transmitting, we would never see frames with these large data chunks from the TCP layer and we would rather see that data the way it looks like when it reaches the other end (1518 B. frames that is in my case).

Now, this equation doesn't work... either Wireshark is getting the data after the protocol stack and then recreates the soon to be Ethernet frame before the data moves on to the NIC or there's something else going on that I don't understand... What do you think?

asked 25 Sep '14, 07:14

fast-reflexes's gravatar image

accept rate: 0%

One Answer:


Wireshark does not get a copy of the packet from the NIC. Winpcap (on Windows sytems) provides Wireshark with a copy of the packet that is being sent to the NIC. So if LSO is in use, and you are capturing on the sending host, Wireshark is seeing the oversize frames before the NIC segments them into proper sized frames for transmission on the network.

To see what is transmitted on the wire, capture from the wire, not from one of the endpoints involved in the communication.

answered 25 Sep '14, 08:56

Jim%20Aragon's gravatar image

Jim Aragon
accept rate: 24%

Thanks! So I take it then that the Ethernet frame headers are already in place when the packet is being handed over to the NIC and that in the case of LSO, the NIC "reopens" the frame and segments its content, readjusts the relevant headers and then passes it onto the wire?

(25 Sep '14, 10:52) fast-reflexes

Yes, there are headers on the oversized frame that gets passed to the NIC. The NIC segments the frame into multiple smaller frames for transmission on the wire, and puts the appropriate headers on the transmitted frames.

(25 Sep '14, 10:58) Jim Aragon

Aha! So the regular processing is that all headers (maybe except the physical ones: preamble and SFD) are on the packet as it gets passed to the NIC? I think a usual misconception might be that the NIC accepts an IP packet from "above" to which it then puts on the Ethernet headers but it makes sense that these should be in place once it is handed over to the NIC and that the NIC only takes care of the last steps involving actual transmission / handing over the data to the physical layer... That right?

Thank you very much! You helped me to greater understanding :)

(25 Sep '14, 11:33) fast-reflexes

Actually even if you capture from the wire the host making the capture may assemble the packets if receive offloading is active.

(25 Sep '14, 11:50) Anders ♦