TCP packet length was much greater than MTU [closed]

asked 2018-08-09 14:22:22 +0000

jjulianf gravatar image

Refering to this question in the old Wireshark forum:

The issue is: Wireshark shows TCP frame length being much greater than the maximum TCP frame length of 1500 bytes.

The explanation is: "Probably you captured on the host that transmitted the oversized packet, and TCP Large Segment Offload [TSO] is enabled"

Now I found a good tutorial on how to disable TOS on Linux and I want to share it with you:

sudo apt install ethtool
ethtool --show-offload  eth0  //shows, if tcp-segmentation-offload is enabled
sudo ethtool -K eth0 gso off
sudo ethtool -K eth0 tso off

I experienced the same just the other way around on the receiving client side, the reason for that was Large Receive Offload [LRO]. It can be disabled like this: 

sudo ethtool -K eth0 tso off

Note that this step is only possible, when LRO isn't set as [FIXED]. You can check this with: 

ethtool --show-offload  eth0
large-receive-offload: on [fixed]  //check in the output
edit retag flag offensive reopen merge delete

Closed for the following reason not a real question by cmaynard
close date 2018-08-10 13:46:47.847391

Comments

What is your question?

cmaynard gravatar imagecmaynard ( 2018-08-09 15:15:51 +0000 )edit

Great you have slowed down your network performance!

Christian_R gravatar imageChristian_R ( 2018-08-09 18:45:04 +0000 )edit

For some people who are wondering about the frame length they can measure with Wireshark, this might be a good explanation. I was wondering about this issue and had to do quite a lot of research to get all this information.

So no question, but helpful for people who are having the same question.

jjulianf gravatar imagejjulianf ( 2018-08-10 08:08:26 +0000 )edit

Well, a couple of things:

1) From the Help:

This site is for asking and answering questions, not for open-ended discussions.

If you'd like to share general information about Wireshark, then maybe the wireshark-users or wireshark-dev mailing lists are the more appropriate forums to do so.

2) As Christian mentions, what you've done is generally poor advice as you've hindered performance. It's one thing to understand what's going on, but quite another to make unnecessary and performance-degrading changes in order for the capture files to show what you expect. It's as if you were trying to take a picture of a Formula 1 racecar zooming past you, but because the photograph always came out blurry, you decided to replace the Formula 1 engine with that of a Peel P50. You're now taking great photographs, but you've completely missed the point of the ...(more)

cmaynard gravatar imagecmaynard ( 2018-08-10 13:46:18 +0000 )edit

For those coming to this question in the hope of configuring their NIC properly for capture, please see https://blog.packet-foo.com/2016/11/t... and the SecurityOnion reference that's linked to from that page.

chb gravatar imagechb ( 2019-11-08 19:34:39 +0000 )edit
add a comment