On Jan 12, 2015, at 10:27 PM, Vishnu Bhatt <vishnu.bhatt@xxxxxxxxxxx> wrote:
> I am capturing through tcpdump and then opening the file using Wireshark. But I can see only frames of 1514 bytes whereas data up to 3000 bytes are present.
What do you mean by "data up to 3000 bytes are present"?
The maximum *link-layer* packet size on Ethernet, without jumbo frames, is 1514 bytes if the packet doesn't include the FCS (1518 bytes if it does, but, on most systems, the FCS isn't captured).
However, a packet at a protocol layer *above* the link layer can be bigger than the maximum link-layer packet size; its contents will just have to be sent in multiple link-layer packets (frames).
For example, you can send an IPv4 datagram with 3000 bytes of payload; assuming no IP options are added to the packet, it will be fragmented at the IP layer into two IPv4 fragments with 1480 bytes of payload (1480 bytes of payload + 20 bytes of IPv4 header + 14 bytes of Ethernet header = 1514 bytes) and one IPv4 fragment with 40 bytes of payload.
Or you can send an (SMB, AFP, NFS) write request or read reply with 3000 bytes of data over TCP; it will be sent in multiple TCP segments.
In both cases, however, you will only see *Ethernet frames* of 1514 bytes or fewer. However, Wireshark may be able to reassemble fragmented IPv4/IPv6 datagrams, or packets of protocols running on top of TCP, and show them to you, constructed from their component Ethernet frames.
