Wireshark-users: [Wireshark-users] Capturing up 64K byte frame on a VM guest

From: Martin Visser <martinvisser99@xxxxxxxxx>
Date: Sat, 13 Mar 2010 21:54:36 +1100

Doing some troubleshooting work at a customer and came across a strange anomaly I hadn't seen before. We setup a test server using a run-of-the-mill Centos 5.x machine running as a VMware ESX guest (not sure of the version). I believe the NICs are Intel e1000.

We captured some  HTTP data transfers using the Centos built-in tcpdump on the test server.

Taking this offline to analyse in Wireshark I was surprised to Ethernet frame sizes up to 64000 bytes in length. I am dead-certain these aren't acually going on the wire (based on previous captures off a switch port-mirror) and even the fact that the Centos guest has default 1500 byte MTU set for it's interfaces. By the time these frames get to the client they have been fragmented to the correct size of less than 1500 bytes. (This is despite the "Don't Fragment" bit set in all outgoing frames).

Has anyone else seen this before? The only thing I can put it down is that there is probably a TCP offloading driver being used, or maybe some magic that running inside VMware ESX, and that the tcpdump capture is being down at a point where larger-than-ethernet buffers are pushing data to the hardware/virtual NIC for TCP processing.

(We are tracking a problem where it seems clear that TCP segments are going missing in certain circumstances, and this has come up as a bit of a red herring.)

Regards, Martin