Ask Your Question

TCP length in capture from aggregating TAP exceeds MTU

asked 2019-11-08 15:22:23 +0000

chb gravatar image

updated 2019-11-08 15:39:49 +0000

I bought a used aggregating TAP (a Network Instruments Aggregator nTAP with a 512MB buffer) and set it up between my cable modem and my router. I've got a dual-interface motherboard on my desktop (the machine running wireshark): one is an Intel I218-V and the other is an Intel I211. The latter is connected to one of the TAP's two "analyzer" ports (these are simplex ports that send only). The OS on the desktop is Linux. The driver for the I211 interface (labeled enp8s0 by the OS) is the igb module.

I put the capturing interface into promiscuous mode and recorded a file being uploaded via HTTP to a remote server. TCP segment length from the sender starts at 1448, increases to 2896, then tops out at 8688KiB, with ACKs that don't correspond to sequence numbers. I understand that segment lengths well in excess of standard MTU are often an issue with misconfigured ethernet interfaces on desktops/laptops.

If a misconfigured interface is, in fact, the problem, where can I go to find more information on how to configure the interface to act as a simple drain for the aggregating TAP which will act as little more than a recording device for Wireshark? I read this post where OP attempts to remedy things with ethtool, but more experienced users take exception with his methods.

edit retag flag offensive close merge delete


Can you share a capture file, use a public share, e.g. Google Drive, DropBox etc?

grahamb gravatar imagegrahamb ( 2019-11-10 17:27:04 +0000 )edit

1 Answer

Sort by ยป oldest newest most voted

answered 2019-11-08 16:24:09 +0000

chb gravatar image

Not enough digging, I guess. I followed the instructions presented at for network cards, borrowing bits and pieces from the SecurityOnion page that it refers to.

Big thanks to Jasper!

edit flag offensive delete link more

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Question Tools

1 follower


Asked: 2019-11-08 15:22:23 +0000

Seen: 29 times

Last updated: Nov 08