Huge thanks to our Platinum Members Endace and LiveAction,
and our Silver Member Veeam, for supporting the Wireshark Foundation and project.

Wireshark-users: [Wireshark-users] tcp packets too big !?

From: Christophe Lohr <Christophe.Lohr@xxxxxxxxxxxxxxxx>
Date: Fri, 02 Feb 2007 14:26:33 +0100
Hi,
  Wireshark shows (outgoing) tcp packet with a surprising size, larger than
mss...

Let's consider following "Client" and "Server":
* Server [192.168.100.17] *
# tshark -n "host 192.168.100.11 && host 192.168.100.17 && port 7575" >
server.dump
# netcat -l -p 7575 > /dev/null

* Client [192.168.100.11] *
# tshark -n "host 192.168.100.11 && host 192.168.100.17 && port 7575" >
client.dump
# netcat 192.168.100.17 7575 </dev/zero

Now, let's have a look at "server.dump" and "client.dump" files:
* client.dump *
  0.000000 192.168.100.11 -> 192.168.100.17 TCP 74 38587 > 7575 [SYN]
Seq=2874587416 Len=0 MSS=1460 TSV=237521906 TSER=0 WS=6
  0.000835 192.168.100.17 -> 192.168.100.11 TCP 74 7575 > 38587 [SYN,
ACK] Seq=2859359246 Ack=2874587417 Win=5792 Len=0 MSS=1460 TSV=1201904
TSER=237521906 WS=6
  0.000853 192.168.100.11 -> 192.168.100.17 TCP 66 38587 > 7575 [ACK]
Seq=2874587417 Ack=2859359247 Win=92 Len=0 TSV=237521907 TSER=1201904
  0.001001 192.168.100.11 -> 192.168.100.17 TCP 1090 38587 > 7575 [PSH,
ACK] Seq=2874587417 Ack=2859359247 Win=92 Len=1024 TSV=237521907
TSER=1201904
  0.001134 192.168.100.11 -> 192.168.100.17 TCP 1514 38587 > 7575 [ACK]
Seq=2874588441 Ack=2859359247 Win=92 Len=1448 TSV=237521907 TSER=1201904
  0.001336 192.168.100.17 -> 192.168.100.11 TCP 66 7575 > 38587 [ACK]
Seq=2859359247 Ack=2874588441 Win=123 Len=0 TSV=1201905 TSER=237521907
  0.001348 192.168.100.11 -> 192.168.100.17 TCP 2962 38587 > 7575 [ACK]
Seq=2874589889 Ack=2859359247 Win=92 Len=2896 TSV=237521907 TSER=1201905
  (..)

Last TCP packet have Len=2896 !!!???

And now, packets received:
* server.dump *
  0.000000 192.168.100.11 -> 192.168.100.17 TCP 38587 > 7575 [SYN]
Seq=2874587416 Len=0 MSS=1460 TSV=237521906 TSER=0 WS=6
  0.000525 192.168.100.17 -> 192.168.100.11 TCP 7575 > 38587 [SYN, ACK]
Seq=2859359246 Ack=2874587417 Win=5792 Len=0 MSS=1460 TSV=1201904
TSER=237521906 WS=6
  0.000764 192.168.100.11 -> 192.168.100.17 TCP 38587 > 7575 [ACK]
Seq=2874587417 Ack=2859359247 Win=92 Len=0 TSV=237521907 TSER=1201904
  0.001016 192.168.100.11 -> 192.168.100.17 TCP 38587 > 7575 [PSH, ACK]
Seq=2874587417 Ack=2859359247 Win=92 Len=1024 TSV=237521907 TSER=1201904
  0.001035 192.168.100.17 -> 192.168.100.11 TCP 7575 > 38587 [ACK]
Seq=2859359247 Ack=2874588441 Win=123 Len=0 TSV=1201905 TSER=237521907
  0.001266 192.168.100.11 -> 192.168.100.17 TCP 38587 > 7575 [ACK]
Seq=2874588441 Ack=2859359247 Win=92 Len=1448 TSV=237521907 TSER=1201904
  0.001285 192.168.100.17 -> 192.168.100.11 TCP 7575 > 38587 [ACK]
Seq=2859359247 Ack=2874589889 Win=168 Len=0 TSV=1201905 TSER=237521907
  0.001516 192.168.100.11 -> 192.168.100.17 TCP 38587 > 7575 [ACK]
Seq=2874589889 Ack=2859359247 Win=92 Len=1448 TSV=237521907 TSER=1201905
  0.001531 192.168.100.17 -> 192.168.100.11 TCP 7575 > 38587 [ACK]
Seq=2859359247 Ack=2874591337 Win=213 Len=0 TSV=1201905 TSER=237521907
  0.001535 192.168.100.11 -> 192.168.100.17 TCP 38587 > 7575 [ACK]
Seq=2874591337 Ack=2859359247 Win=92 Len=1448 TSV=237521907 TSER=1201905
  (..)

No trace of large TCP packets...

I can't understand how "Client" do to send TCP packets larger than MTU.

Does Wireshark dump real (outgoing) packets?

Note that "Client" and "Server" are Linux 2.6.18/Fedora4.

Many thanks.
Regards