Wireshark Capture with TSO enabled maxes out at 261478 bytes, dropping data.
Hi.
I'm trying to get a wireshark capture of XML data leaving a Windows VM with TSO enabled; when following the stream i'm ending up with corrupted XML data at the packet boundaries, which after some manipulation seems to highlight that data is being dropped somewhere. Currently using Wireshark 4.4.2.
When I capture the data, the bytes captured shown in the IPV4 header as a number of packets, each of length 261478 bytes, with a note that it's "reported as 0, presumed to be because of "TCP Segmentation offload" (TSO)", followed by a single packet of smaller size. I can confirm that I do deliberately have TSO enabled.
However, I can't find a way to ensure that I can capture the full data stream and keep TSO enabled: I've set the buffer to 100MB (and even 500mb) on the interface capture dialog, and had a good dig around, I can't get Wireshark to capture a packet of more than 261478 bytes, and presumably because the packet.len is 0, it doesn't know that it's dropping data.
I've tried a mixture of "following the stream" and individually reviewing the output of the packet window to see if it might be a "bug" somewhere, but the outputs are, unsuprisingly, identical.
Does this number ring a bell with anyone, and is there a way to remove the limit? I can't see the number referred to in any Wireshark manual anywhere or issue log , so feeling quite stuck !
Thanks in advance.
This may be a limit in the capture library, libpcap or npcap on Windows. Wireshark cannot display what is not captured.