This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

ping packet size smaller than packets exchanged

0

hello,

I'm wondering why I'm not able to ping a remote host with a larger packet size than the MTU allowed on the link (ping remote_host -l 1500 -f). The "f" flag is not allowing fragmentation. So when running the ping command I'm receiving msg that packets need to be fragmented and this is ok for me. But I have a trace file between my laptop and the remote server and I can see both exchange packets up to 6000 bytes in size even though I can see the DF bit flag set as well ....

alt text Can anyone please explain why is that ?

BR

Adam

asked 10 Feb '16, 10:31

adasko's gravatar image

adasko
86343842
accept rate: 0%

edited 10 Feb '16, 10:39


One Answer:

1

answered 10 Feb '16, 10:51

Jasper's gravatar image

Jasper ♦♦
23.8k551284
accept rate: 18%

Hi Jasper,

Thank you for the comment. Does it also count when I was simulating on two VMware Workstation VM's? I mean especially the Offloading stuff ?

BR

Adam

(10 Feb '16, 10:58) adasko

Whenever you're not using a dedicated capture device you can run into symptoms like oversized packets, crc errors etc.

(10 Feb '16, 11:03) Jasper ♦♦
1

dedicated device you mean like a TAP or any device running Wireshark ?

(10 Feb '16, 11:05) adasko

TAP, SPAN, it all works as long as you're not capturing on the device creating the packets ;-)

(10 Feb '16, 11:06) Jasper ♦♦

so it could be even a dedicated laptop with Wireshark on it ? If yes, does the NIC have to specifically configured ?

(10 Feb '16, 11:07) adasko

yes, a dedicated laptop is enough. It's usually a good idea to disable all protocol bindings from the capture card to prevent it from adding packets to the capture.

(10 Feb '16, 11:25) Jasper ♦♦
showing 5 of 6 show 1 more comments