I was contacted about a performance issue, so I setup Cisco SPANs in front of both end devices. The sending device has LSO enabled with the MTU set to 1500. Jumbo frames are enabled throughout the network up to ~9000 bytes. The devices send a MSS of 1460 in the TCP handshake. However, on BOTH sides I am seeing packet lengths up to over 10,000 bytes in Wireshark. I've seen weird behavior like this before when capture ON the servers as many of you have as well. However, I'm capturing on the wire. I am trying to figure out if the sending server is not respecting the MTU size, Wireshark has a bug, I have some obscure option set incorrectly, or if one of our devices is altering packets. Has anyone else experienced this or have any ideas?
asked 10 Mar '17, 14:42 csereno |
One Answer:
Disabling the offloads on the capture server worked. We rebuilt the servers awhile back and forgot to disable the offloads (it had been so long since the previous rebuild we forgot....lesson relearned!). Thank you Uli and SYN-bit for the confirmation! answered 04 May '17, 08:00 csereno |
It seems our packet capture server has offloading enabled. I disabled it and will test again Monday. Even a NIC in promiscuous mode doing the captures can be influenced by TSO/GSO/LSO.
I've never seen that happen in a capture setup, so I'm curious about your findings.
I've also had such packets when the capture device was configured for "Generic Receive Offload" resp. "Large Receive Offload".
An indication for this may several packets with increasing ACK numbers for "one" large packet.
I have also witnessed this behavior on a Ubuntu laptop. Disabling all offload features of the NIC solved the issue for me...
Uli, almost the entire stream looks like "one" large packet, so that had me curious as well. I'll let you all know tomorrow. Thanks for the confirmation!