This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

MTU larger than interface allows with DF bit set

0

I have a capture between two servers that have an MTU set to 1500 Bytes. Within the capture I have SQL TDS packets that are transferring data packets above 1500 Bytes with the DF bit set. Why are these packets traversing the network when I can't ping above 1500 Bytes between the two servers? When I try to ping with the DF bit set the packets are not even captured by Wireshark and the notification appears in the DOS prompt.

Any help is greatly appreciated.

Cheers.

>ping 10.2.8.120 -l 1400

Pinging 10.2.8.120 with 1400 bytes of data:


Reply from 10.2.8.120: bytes=1400 time<1ms TTL=128


Reply from 10.2.8.120: bytes=1400 time<1ms TTL=128


>ping 10.2.8.120 -l 1600


Pinging 10.2.8.120 with 1600 bytes of data:


Reply from 10.2.8.120: bytes=1600 time<1ms TTL=128


Reply from 10.2.8.120: bytes=1600 time<1ms TTL=128


>ping 10.2.8.120 -l 1600 -f


Pinging 10.2.8.120 with 1600 bytes of data:


Packet needs to be fragmented but DF set.


Packet needs to be fragmented but DF set.


No. Delta Time  Source  Destination Protocol  Length  TCP Length  Bytes in flight IP Identification Arrival Time  Info


546735  0.000176  3930.032301 10.2.8.206  10.2.8.120  TDS   1460  1460  0x473d (18237)  01:32.5 Response[Packet size limited during capture]


546736  0.000005  3930.032306 10.2.8.206  10.2.8.120  TDS 104,678 798 2258  0x473e (18238)  01:32.5 Unknown Packet Type: 13 (Not last buffer) (Not last buffer)


546737  0.00004 3930.032346 10.2.8.120  10.2.8.206  TCP   0   0x0e20 (3616) 01:32.5 49538 > 1433 [ACK] Seq=1990537 Ack=2276450 Win=131328 Len=0


546738  0.001548  3930.033894 10.2.8.120  10.2.8.206  TDS 7992  8000  8000  0x0e21 (3617) 01:32.5 Remote Procedure Call (Not last buffer)


546739  0.000056  3930.03395  10.2.8.120  10.2.8.206  TDS   1112  9112  0x0e27 (3623) 01:32.5 Remote Procedure Call

asked 11 Nov ‘15, 21:15

krazynedkelly's gravatar image

krazynedkelly
11226
accept rate: 0%

edited 12 Nov ‘15, 02:45

grahamb's gravatar image

grahamb ♦
19.8k330206

One Answer:

1

Maybe you have done a local trace. If have enabled "TCP Chimney Offload" or "Receive Segment Coalsecing" then the packets in the capture appaer larger. Because the capture point is inside the system. The NIC slices the segments to maximum allowed MTU.
This could be done for transmitting frames by the function called "TCP Chimney Offloading" or "Large Send Offloading"
And for the receiving frames it is called "Receive Segment Coalescing" or "Large Receive Offloading", but it is not as common in use as TCP Oflloading.

These are the names how they are used at Windows Systems. The global settings can be seen with this command netsh int tcp show global But maybe you need to alter the interface settings, too.

answered 12 Nov '15, 00:24

Christian_R's gravatar image

Christian_R
1.8k2625
accept rate: 16%

edited 12 Nov '15, 00:49