Huge thanks to our Platinum Members Endace and LiveAction,
and our Silver Member Veeam, for supporting the Wireshark Foundation and project.

Wireshark-users: [Wireshark-users] When are payload lengths greater than the negotiated MSS?

From: Ashwin Rao <ashwin.shirvanthe@xxxxxxxxx>
Date: Thu, 26 Nov 2009 19:01:27 +0100
Hi,

The following traces are of a connection between a client and server
running on the same machine. The connection is over a local loop and
the MTU is limited to 1500 bytes for the local loop device.

During connection establishment the MSS exchanged is  1460  as shown
in the three way handshake sniffed using Wireshark (displayed using
tshark)

1  11.210844 127.0.0.1 -> 127.0.0.1 TCP 50930 > 15001 [SYN] Seq=0
Win=5840 Len=0 MSS=1460 TSV=22998 TSER=0 WS=7
2  11.410950 127.0.0.1 -> 127.0.0.1 TCP 15001 > 50930 [SYN, ACK] Seq=0
Ack=1 Win=5792 Len=0 MSS=1460 TSV=23198 TSER=22998 WS=7
3  11.611333 127.0.0.1 -> 127.0.0.1 TCP 50930 > 15001 [ACK] Seq=1
Ack=1 Win=5888 Len=0 TSV=23398 TSER=23198

After some time the packets with length (2948) greater than 1460 bytes
(even after accounting for the TCP header sans options) are being
exchanged over the same socket. Following are three packets from the
same connection dumped using the command 'tshark -T fields -e tcp.port
-e tcp.len -e ip.len'

50930    2896    2948
50930    2896    2948
50930    2896    2948

The second and third columns indicate the tcp.len and ip.len
respectively.  The tcpdump output of the same trace is as follows:

17:22:34.846900 IP (tos 0x8, ttl 64, id 59157, offset 0, flags [DF],
proto TCP (6), length 2948) 127.0.0.1.15001 > 127.0.0.1.50930: .
5828:8724(2896) ack 113 win 46 <nop,nop,timestamp 32733 32533>

17:22:34.868313 IP (tos 0x8, ttl 64, id 59159, offset 0, flags [DF],
proto TCP (6), length 2948) 127.0.0.1.15001 > 127.0.0.1.50930: .
8724:11620(2896) ack 113 win 46 <nop,nop,timestamp 32754 32554>

17:22:34.952985 IP (tos 0x8, ttl 64, id 59161, offset 0, flags [DF],
proto TCP (6), length 2948) 127.0.0.1.15001 > 127.0.0.1.50930: .
11620:14516(2896) ack 113 win 46 <nop,nop,timestamp 32839 32608>

Clearly data payloads with length greater than the MSS negotiated are
being exchanged. I would like to know under which conditions are
payloads greater than the MSS exchanged? Further, is there a way to
limit the payloads to the specified MSS value?

Regarding the TCP implementation, the kernel used is the linux 2.6.27
kernel and wireshark 1.0.8 was used to capture the packets.

Regards,
Ashwin