This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

TCP packet size

0

I captured a TCP stream from a linux server and a linux client (both running backtrack 5 (based on ubuntu 11.04) MSS on server and client = 1460 bytes must packets have a payload of 1448 bytes, yet some packets have larger payloads e.g 7240 = 5*1448

Does that mean the MTU set on the server OS is larger than 1500? if so how do I find the MTU value?

alt text

asked 27 Nov '11, 02:36

ddayan's gravatar image

ddayan
41151720
accept rate: 0%


One Answer:

3

Ths MSS is what the TCP stack will use to segment data before it is being send out the network interface. However, libpcap captures the packets between the TCP stack and the NIC driver. In modern NICs, some functions of the TCP/IP stack can be offloaded to the NIC, saving CPU cycles on the system. One of the offloaded features is TCP segmentation.

So you see the large segment being sent to the NIC and the NIC will segment it into packets that will fit the MTU of the network.

You can verify this by making the trace on both sides, only on the sending side you will see the large packets.

answered 27 Nov '11, 03:01

SYN-bit's gravatar image

SYN-bit ♦♦
17.1k957245
accept rate: 20%

I found this old post, which describes exactly the problem I'm having. The capture shows only large segments, but I'd like to see the individual segments (after the NIC breaks it down). I even tried capturing at the receiver side, but it seems it performs the exact same operation. Can this be done? I'm using Linux.

(21 Jan '13, 13:50) clod1977

Or alternatively, can I set TCP to segment the packets, rather than have the NIC do it?

(21 Jan '13, 14:02) clod1977
(21 Jan '13, 14:21) SYN-bit ♦♦