Huge thanks to our Platinum Members Endace and LiveAction,
and our Silver Member Veeam, for supporting the Wireshark Foundation and project.

Wireshark-users: [Wireshark-users] How can a packet size be greater than the NIC's MTU?

From: Mohamed Lrhazi <lrhazi@xxxxxxxxx>
Date: Tue, 3 Dec 2013 21:30:25 -0500
I guess the subject line is all I need to say :)

am debugging an issue which seems to be rooted at some MTU problem... and I notice that a host, according to the pcaps I take, using tcpdump, on redhat linux 6.x, the packet size is shown to be over 2500 bytes, when the MTU of the network interface is only 1500.... or is a "packet" as displayed by wireshark or tcpdump, unrelated to the L2 frames? could there have been more frames for that one "packet"? How can I have "tcpdump -r" or wireshark, show me the exact frames, so I can see their actual sizes?

Example, notice the packet with a "tcp size" of 2896, "IP size" is 2948.

➜  tmp  tcpdump  -qnr ubuntu-1.mtu1500.pcap
reading from file ubuntu-1.mtu1500.pcap, link-type EN10MB (Ethernet)
18:09:07.874894 IP 192.168.77.204.55992 > 192.168.77.201.80: tcp 0
18:09:07.874990 IP 192.168.77.201.80 > 192.168.77.204.55992: tcp 0
18:09:07.878527 IP 192.168.77.204.55992 > 192.168.77.201.80: tcp 0
18:09:07.878819 IP 192.168.77.204.55992 > 192.168.77.201.80: tcp 85
18:09:07.878842 IP 192.168.77.201.80 > 192.168.77.204.55992: tcp 0
18:09:07.879982 IP 192.168.77.201.80 > 192.168.77.204.55992: tcp 17
18:09:07.880299 IP 192.168.77.201.80 > 192.168.77.204.55992: tcp 2896
18:09:07.880506 IP 192.168.77.201.80 > 192.168.77.204.55992: tcp 395
18:09:07.882022 IP 192.168.77.204.55992 > 192.168.77.201.80: tcp 0
18:09:07.882048 IP 192.168.77.204.55992 > 192.168.77.201.80: tcp 0
18:09:07.883506 IP 192.168.77.201.80 > 192.168.77.204.55992: tcp 1448
18:09:07.883523 IP 192.168.77.201.80 > 192.168.77.204.55992: tcp 1448
18:09:08.087483 IP 192.168.77.201.80 > 192.168.77.204.55992: tcp 1448
18:09:08.495509 IP 192.168.77.201.80 > 192.168.77.204.55992: tcp 1448
18:09:09.311515 IP 192.168.77.201.80 > 192.168.77.204.55992: tcp 1448
18:09:10.947503 IP 192.168.77.201.80 > 192.168.77.204.55992: tcp 1448
18:09:14.223563 IP 192.168.77.201.80 > 192.168.77.204.55992: tcp 1448
18:09:16.463307 IP 192.168.77.204.55992 > 192.168.77.201.80: tcp 0
18:09:16.463353 IP 192.168.77.201.80 > 192.168.77.204.55992: tcp 0
➜  tmp  



Thanks a lot,
Mohamed.