Huge thanks to our Platinum Members Endace and LiveAction,
and our Silver Member Veeam, for supporting the Wireshark Foundation and project.

Wireshark-users: Re: [Wireshark-users] TCP packets greater than 1516 bytes

From: Bill Meier <wmeier@xxxxxxxxxxx>
Date: Sat, 22 Aug 2009 14:16:29 -0400
Deborah Charan wrote:
I am looking at TCP traffic between two machines. I would like to see the actual packets, I don't want to see the whole stream, but instead would like to know the actual number of packets. Since this is over ethernet, the max size per packet should be ~1514 bytes. My TCP packets have 10K or 8K ... I upgraded to Wireshark 1.2.1, I have unchecked the TCP preference for "Allow subdisectors to reassemble TCP streams", I have tried disabling TCP and IP dissection altogether, and still the packets are thousands of bytes. Of course the ACKs are small, and every packet is not huge, but I just want to see the packets.
I'm running on Ubuntu if that is important.

Any info would be appreciated.


Might be TCP segmentation offloading or Jumbo Frames...

Please see the message thread starting at:

http://www.wireshark.org/lists/wireshark-users/200806/msg00245.html

Also: a Google search 'site:wireshark.org "jumbo frames"' brings up other hits about large frames.