Revision history [back]

TCP length in capture from aggregating TAP exceeds MTU

Background
I bought a used aggregating TAP (a Network Instruments Aggregator nTAP with a 512MB buffer) and set it up between my cable modem and my router. I've got a dual-interface motherboard on my desktop (the machine running wireshark): one is an Intel I218-V and the other is an Intel I211. The latter is connected to one of the TAP's two "analyzer" ports. The OS on the desktop is Linux. The driver for the I211 interface (labeled enp8s0 by the OS) is the igb module.

Problem
I put the capturing interface into promiscuous mode and recorded a file being uploaded via HTTP to a remote server. TCP segment length varies widely, sometimes going above 8KiB, with ACKs that don't correspond to sequence numbers. I understand that segment lengths well in excess of standard MTU are often an issue with misconfigured ethernet interfaces on desktops/laptops.

If this is, in fact, the problem, where can I go to find more information on how to configure the interface to act as a simple drain for the aggregating TAP which will act as little more than a recording device for Wireshark?

TCP length in capture from aggregating TAP exceeds MTU

Background
I bought a used aggregating TAP (a Network Instruments Aggregator nTAP with a 512MB buffer) and set it up between my cable modem and my router. I've got a dual-interface motherboard on my desktop (the machine running wireshark): one is an Intel I218-V and the other is an Intel I211. The latter is connected to one of the TAP's two "analyzer" ports. The OS on the desktop is Linux. The driver for the I211 interface (labeled enp8s0 by the OS) is the igb module.

Problem
I put the capturing interface into promiscuous mode and recorded a file being uploaded via HTTP to a remote server. TCP segment length varies widely, sometimes going above 8KiB, with ACKs that don't correspond to sequence numbers. I understand that segment lengths well in excess of standard MTU are often an issue with misconfigured ethernet interfaces on desktops/laptops.desktops/laptops. I read this post where OP attempts to remedy things with ethtool, but more experienced users take exception with his methods.

If this a misconfigured interface is, in fact, the problem, where can I go to find more information on how to configure the interface to act as a simple drain for the aggregating TAP which will act as little more than a recording device for Wireshark?

TCP length in capture from aggregating TAP exceeds MTU

Background
I bought a used aggregating TAP (a Network Instruments Aggregator nTAP with a 512MB buffer) and set it up between my cable modem and my router. I've got a dual-interface motherboard on my desktop (the machine running wireshark): one is an Intel I218-V and the other is an Intel I211. The latter is connected to one of the TAP's two "analyzer" ports. ports (these are simplex ports that send only). The OS on the desktop is Linux. The driver for the I211 interface (labeled enp8s0 by the OS) is the igb module.

Problem
I put the capturing interface into promiscuous mode and recorded a file being uploaded via HTTP to a remote server. TCP segment length varies widely, sometimes going above 8KiB, with ACKs that don't correspond to sequence numbers. I understand that segment lengths well in excess of standard MTU are often an issue with misconfigured ethernet interfaces on desktops/laptops. I read this post where OP attempts to remedy things with ethtool, but more experienced users take exception with his methods.

If a misconfigured interface is, in fact, the problem, where can I go to find more information on how to configure the interface to act as a simple drain for the aggregating TAP which will act as little more than a recording device for Wireshark?

TCP length in capture from aggregating TAP exceeds MTU

Background
I bought a used aggregating TAP (a Network Instruments Aggregator nTAP with a 512MB buffer) and set it up between my cable modem and my router. I've got a dual-interface motherboard on my desktop (the machine running wireshark): one is an Intel I218-V and the other is an Intel I211. The latter is connected to one of the TAP's two "analyzer" ports (these are simplex ports that send only). The OS on the desktop is Linux. The driver for the I211 interface (labeled enp8s0 by the OS) is the igb module.

Problem
I put the capturing interface into promiscuous mode and recorded a file being uploaded via HTTP to a remote server. TCP segment length varies widely, sometimes going above 8KiB, from the sender starts at 1448, increases to 2896, then tops out at 8688KiB, with ACKs that don't correspond to sequence numbers. I understand that segment lengths well in excess of standard MTU are often an issue with misconfigured ethernet interfaces on desktops/laptops. I read this post where OP attempts to remedy things with ethtool, but more experienced users take exception with his methods.

If a misconfigured interface is, in fact, the problem, where can I go to find more information on how to configure the interface to act as a simple drain for the aggregating TAP which will act as little more than a recording device for Wireshark?

TCP length in capture from aggregating TAP exceeds MTU

Background
I bought a used aggregating TAP (a Network Instruments Aggregator nTAP with a 512MB buffer) and set it up between my cable modem and my router. I've got a dual-interface motherboard on my desktop (the machine running wireshark): one is an Intel I218-V and the other is an Intel I211. The latter is connected to one of the TAP's two "analyzer" ports (these are simplex ports that send only). The OS on the desktop is Linux. The driver for the I211 interface (labeled enp8s0 by the OS) is the igb module.

Problem
I put the capturing interface into promiscuous mode and recorded a file being uploaded via HTTP to a remote server. TCP segment length from the sender starts at 1448, increases to 2896, then tops out at 8688KiB, with ACKs that don't correspond to sequence numbers. I understand that segment lengths well in excess of standard MTU are often an issue with misconfigured ethernet interfaces on desktops/laptops. I read this post where OP attempts to remedy things with ethtool, but more experienced users take exception with his methods.

Question
If a misconfigured interface is, in fact, the problem, where can I go to find more information on how to configure the interface to act as a simple drain for the aggregating TAP which will act as little more than a recording device for Wireshark?

TCP length in capture from aggregating TAP exceeds MTU

Background
I bought a used aggregating TAP (a Network Instruments Aggregator nTAP with a 512MB buffer) and set it up between my cable modem and my router. I've got a dual-interface motherboard on my desktop (the machine running wireshark): one is an Intel I218-V and the other is an Intel I211. The latter is connected to one of the TAP's two "analyzer" ports (these are simplex ports that send only). The OS on the desktop is Linux. The driver for the I211 interface (labeled enp8s0 by the OS) is the igb module.

Problem
I put the capturing interface into promiscuous mode and recorded a file being uploaded via HTTP to a remote server. TCP segment length from the sender starts at 1448, increases to 2896, then tops out at 8688KiB, with ACKs that don't correspond to sequence numbers. I understand that segment lengths well in excess of standard MTU are often an issue with misconfigured ethernet interfaces on desktops/laptops.

Question
If a misconfigured interface is, in fact, the problem, where can I go to find more information on how to configure the interface to act as a simple drain for the aggregating TAP which will act as little more than a recording device for Wireshark? I read this post where OP attempts to remedy things with ethtool, but more experienced users take exception with his methods.

Question
If a misconfigured interface is, in fact, the problem, where can I go to find more information on how to configure the interface to act as a simple drain for the aggregating TAP which will act as little more than a recording device for Wireshark?