This is our old Q&A Site. Please post any new questions and answers at

What exactly is the difference between TCP packet length in bytes and MTU size?? Is it OK to have to have TCP packet length in bytes higher (for example: 1845) than MTU size (1500) when we see it in Wireshark trace?

asked 10 Apr '17, 15:04

armodes's gravatar image

accept rate: 0%

TCP length must stay equal or below MTU minus the IP and TCP header size. E.g. if the MTU is 1500, the TCP length should be less or equal to 1460, (MTU 1500 - 20 Bytes IP header - 20 Bytes TCP header).

If you see packets with higher length (e.g. 1845) it could be a problem, but most likely it's measurement error. See

permanent link

answered 10 Apr '17, 15:09

Jasper's gravatar image

Jasper ♦♦
accept rate: 18%

Jasper, but to keep the TCP packet lengths equal or below MTU size, we have to turn the TCP segmentation feature OFF. However, the problem when we do that is that we can not utilize the maximum bandwidth. For example: the performance for a 1gbps - we get around 370mbps - which i think is so poor. This got me confused.

(10 Apr '17, 15:23) armodes

No, that's not true. The segmentation feature puts the task of segmenting packets on the card, not the CPU, so if you do a local capture it shows incorrect values. On the wire it's always correct. Which is why you need to start capturing with a SPAN port or a TAP. That's the only way to see the real packets.

(10 Apr '17, 15:26) Jasper ♦♦

OK. I am doing all this on a virtual environment and capturing the traffic on the monitor (between the sender and the receiver). I don't have that physical switch in place now, is there any way to do it on a virtual environment?

(10 Apr '17, 15:33) armodes

I'm not sure, maybe if the monitor device is in bridge mode. But speed tests in that kind of environment are generally not very reliable, so if you're trying to prove you can get maximum bandwidth it's usually much better to do it on a physical link.

(10 Apr '17, 15:38) Jasper ♦♦

The most common situation where I see TCP length larger than the MTU is when Wireshark is being run on the sending system, TCP Segmentation Offloading is being used, and Wireshark captures the outgoing packets before the NIC card has actually packetized them. If this interferes with the analysis you can either disable the Segmentation Offloading (often not possible), or capture from the network via a SPAN port or a tap.

permanent link

answered 10 Apr '17, 15:25

djdawson's gravatar image

accept rate: 25%

Your answer
toggle preview

Follow this question

By Email:

Once you sign in you will be able to subscribe for any updates here



Answers and Comments

Markdown Basics

  • *italic* or _italic_
  • **bold** or __bold__
  • link:[text]( "title")
  • image?![alt text](/path/img.jpg "title")
  • numbered list: 1. Foo 2. Bar
  • to add a line break simply add two spaces to where you would like the new line to be.
  • basic HTML tags are also supported

Question tags:


question asked: 10 Apr '17, 15:04

question was seen: 14,663 times

last updated: 10 Apr '17, 15:38

p​o​w​e​r​e​d by O​S​Q​A