On Wed, Jun 25, 2008 at 05:21:35PM -0700, Guy Harris wrote:
>
> On Jun 25, 2008, at 11:54 AM, Martin Andersson wrote:
>
> > I have a capture with very large tcp packets (it's a ftp session).
> > My concern is that I can't see any IP fragments.
>
> Perhaps either
>
> 1) there aren't any - if this is gigabit Ethernet, it might be using
> jumbo frames:
>
> http://en.wikipedia.org/wiki/Jumbo_Frame
In that case the MSS in the TCP options of the SYN packets would not
be 1460 and 1360 as they are in this trace...
> or
> 2) the network adapter on the machine doing the capture is doing IP
> fragment reassembly and passing simulated jumbo frames to the host
Martin stated that the capture was made on the FTP server, which for
this connection is the sending host...
> or
> 3) the network adapter on the machine is doing TCP segmentation
> offloading on the receive side and passing simulated jumbo frames to
> the host.
As the trace was made on the sending side, I suspect that the FTP
server is indeed offloading TCP segmentation to the NIC. If you want
to be sure, you could make a trace on the server and at the same time
on the client to verify that the large packets are indeed segmented
to normal sizes on the wire.
Cheers,
Sake
