TCP Warnings & already truncated mirrored traffic.
Background
Oracle Cloud Infrastructure(OCI) has VTAP(https://docs.oracle.com/en-us/ia... service similar to AWS VPC Traffic Mirroring. 'Max Packet Size' of VTAP is the capture size of the mirrored traffic, any bytes, beyond 'Max Packet Size' wont be mirrored. Also for such truncated mirrored packets, packet header parameters of the payload such as length and checksum aren't updated.
Scenario
I am running tcpdump to capture mirrored traffic on the compute node behind the target NLB of VTAP in OCI Cloud. When I use the 'Max Packet Size' on the VTAP to be 1000, my pcaps when viewed in Wireshark show for almost all packets
- TCP Previous segment not captured
- TCP ACKed unseen segment
1000 is more than sufficient to include all the header information for sure. The snaplen(-s parameter) for the tcpdump command is also set to 800, so tcpdump records the truncation in pcap files. Note tcpdump is running on vxlan virtual interface of the compute node, so that interface does decap to give me just original packet as seen by 'source of VTAP'. Here 'source of VTAP' is nothing but the compute node whose traffic is being mirrored by VTAP.
The expert error messages of Wireshark go away, if I use full packet capture in VTAP traffic mirroring with a 'Max packet size' of 9000 and in tcpdump too. Traffic being captured is mainly simple HTTP requests and on the source of the VTAP(from where mirrored traffic in VXLAN encapsulation is coming from).
So we have for most of the packets we have
Length of Packet as seen by VTAP Source/Compute > Original Packet Length PCAP file header > Captured Packet Length of PCAP file header aka snaplen
One theory I have is that: When Wireshark tries to analyze pcap files(captured by the tcpdump), it sees sequence/ack numbers don't add up to number of bytes in each packet it sees in pcaps and hence the errors. I think since TCP packet itself does not have length field to give itself payload length, TCP layer derives this information from the IP length field in IP packet. And the same is being done by wireshark here. It sees big IP packet length and it does not match tcp payload length it sees in the pcap file.
is my theory in the right direction? Will really appreciate help from Wireshark experts.