Huge thanks to our Platinum Members Endace and LiveAction,
and our Silver Member Veeam, for supporting the Wireshark Foundation and project.

Wireshark-users: Re: [Wireshark-users] wireshark sees jumbo TCP packets in linux

From: Jeff Morriss <jeff.morriss.ws@xxxxxxxxx>
Date: Tue, 26 Jun 2012 16:48:33 -0400
On Tue, Jun 26, 2012 at 4:37 PM, Templin, Fred L
<Fred.L.Templin@xxxxxxxxxx> wrote:
> On recent linux distros (mine is Ubuntu 12.4 with 3.2.0-23 kernel),
> wireshark captures of an sftp large file transfer showed jumbo-sized
> TCP packets significantly larger than 1500 bytes. This is on a linux
> laptop with a 1500 MTU Ethernet, so it could not possibly reflect
> what actually goes out on the wire.
>
> If you do the wireshark capture on the large file sender, you see
> outbound packets as large as 64K. If you do the wireshark capture
> on the large file receiver, you see inbound packets anywhere from
> ~2KB - ~16KB.
>
> The source of the confusion turned out to be linux performance
> enhancements called Generic Segment Offload (GSO), Genereic
> Reassembly Offload (GRO) and TCP Segment Offload (TSO). These
> functions push the TCP segmentation/reassembly function down to
> the network layer driver code and somehow circumvent the packet
> capture hooks which should be showing the actual packets that
> go out on the wire instead of the jumbos.
>
> To turn these functions off, type:
>
> # ethtool --offload eth0 gso off
> # ethtool --offload eth0 tso off
> # ethtool --offload eth0 gro off
>
> You should now see wireshark picking up packets that are no
> larger than the actual network interface MTU, i.e., the
> actual packets that go out on the wire.
>
> Have others seen this? Is there a better workaround than
> what I described above?

Yes, it's seen fairly frequently and that's the method which I think
is typically used; see:

http://wiki.wireshark.org/CaptureSetup/Offloading