Re: [Wireshark-users] tcp packets too big !?

Fri, 02 Feb 2007 06:15:15 -0800

could it be that your linux is supporting and using jumbo frames? In this case the MTU is much bigger 

On 02.02.2007, at 14:26, Christophe Lohr wrote:


Hi,

  Wireshark shows (outgoing) tcp packet with a surprising size,  
larger than

mss...

Let's consider following "Client" and "Server":
* Server [192.168.100.17] *

# tshark -n "host 192.168.100.11 && host 192.168.100.17 && port  
7575" >

server.dump
# netcat -l -p 7575 > /dev/null

* Client [192.168.100.11] *

# tshark -n "host 192.168.100.11 && host 192.168.100.17 && port  
7575" >

client.dump
# netcat 192.168.100.17 7575 </dev/zero

Now, let's have a look at "server.dump" and "client.dump" files:
* client.dump *
  0.000000 192.168.100.11 -> 192.168.100.17 TCP 74 38587 > 7575 [SYN]
Seq=2874587416 Len=0 MSS=1460 TSV=237521906 TSER=0 WS=6
  0.000835 192.168.100.17 -> 192.168.100.11 TCP 74 7575 > 38587 [SYN,
ACK] Seq=2859359246 Ack=2874587417 Win=5792 Len=0 MSS=1460 TSV=1201904
TSER=237521906 WS=6
  0.000853 192.168.100.11 -> 192.168.100.17 TCP 66 38587 > 7575 [ACK]
Seq=2874587417 Ack=2859359247 Win=92 Len=0 TSV=237521907 TSER=1201904

  0.001001 192.168.100.11 -> 192.168.100.17 TCP 1090 38587 > 7575  
[PSH,

ACK] Seq=2874587417 Ack=2859359247 Win=92 Len=1024 TSV=237521907
TSER=1201904

  0.001134 192.168.100.11 -> 192.168.100.17 TCP 1514 38587 > 7575  
[ACK]
Seq=2874588441 Ack=2859359247 Win=92 Len=1448 TSV=237521907  
TSER=1201904

  0.001336 192.168.100.17 -> 192.168.100.11 TCP 66 7575 > 38587 [ACK]
Seq=2859359247 Ack=2874588441 Win=123 Len=0 TSV=1201905 TSER=237521907

  0.001348 192.168.100.11 -> 192.168.100.17 TCP 2962 38587 > 7575  
[ACK]
Seq=2874589889 Ack=2859359247 Win=92 Len=2896 TSV=237521907  
TSER=1201905

  (..)

Last TCP packet have Len=2896 !!!???

And now, packets received:
* server.dump *
  0.000000 192.168.100.11 -> 192.168.100.17 TCP 38587 > 7575 [SYN]
Seq=2874587416 Len=0 MSS=1460 TSV=237521906 TSER=0 WS=6

  0.000525 192.168.100.17 -> 192.168.100.11 TCP 7575 > 38587 [SYN,  
ACK]

Seq=2859359246 Ack=2874587417 Win=5792 Len=0 MSS=1460 TSV=1201904
TSER=237521906 WS=6
  0.000764 192.168.100.11 -> 192.168.100.17 TCP 38587 > 7575 [ACK]
Seq=2874587417 Ack=2859359247 Win=92 Len=0 TSV=237521907 TSER=1201904

  0.001016 192.168.100.11 -> 192.168.100.17 TCP 38587 > 7575 [PSH,  
ACK]
Seq=2874587417 Ack=2859359247 Win=92 Len=1024 TSV=237521907  
TSER=1201904

  0.001035 192.168.100.17 -> 192.168.100.11 TCP 7575 > 38587 [ACK]
Seq=2859359247 Ack=2874588441 Win=123 Len=0 TSV=1201905 TSER=237521907
  0.001266 192.168.100.11 -> 192.168.100.17 TCP 38587 > 7575 [ACK]

Seq=2874588441 Ack=2859359247 Win=92 Len=1448 TSV=237521907  
TSER=1201904

  0.001285 192.168.100.17 -> 192.168.100.11 TCP 7575 > 38587 [ACK]
Seq=2859359247 Ack=2874589889 Win=168 Len=0 TSV=1201905 TSER=237521907
  0.001516 192.168.100.11 -> 192.168.100.17 TCP 38587 > 7575 [ACK]

Seq=2874589889 Ack=2859359247 Win=92 Len=1448 TSV=237521907  
TSER=1201905

  0.001531 192.168.100.17 -> 192.168.100.11 TCP 7575 > 38587 [ACK]
Seq=2859359247 Ack=2874591337 Win=213 Len=0 TSV=1201905 TSER=237521907
  0.001535 192.168.100.11 -> 192.168.100.17 TCP 38587 > 7575 [ACK]

Seq=2874591337 Ack=2859359247 Win=92 Len=1448 TSV=237521907  
TSER=1201905

  (..)

No trace of large TCP packets...


I can't understand how "Client" do to send TCP packets larger than  
MTU.


Does Wireshark dump real (outgoing) packets?

Note that "Client" and "Server" are Linux 2.6.18/Fedora4.

Many thanks.
Regards

_______________________________________________
Wireshark-users mailing list
Wireshark-users@wireshark.org
http://www.wireshark.org/mailman/listinfo/wireshark-users






Andreas Fink

Fink Consulting GmbH
Global Networks Schweiz AG
BebbiCell AG

---------------------------------------------------------------
Tel: +41-61-6666330 Fax: +41-61-6666331  Mobile: +41-79-2457333
Address: Clarastrasse 3, 4058 Basel, Switzerland
E-Mail:  [EMAIL PROTECTED]
www.finkconsulting.com www.global-networks.ch www.bebbicell.ch
---------------------------------------------------------------
ICQ: 8239353 MSN: [EMAIL PROTECTED] AIM: smsrelay Skype: andreasfink
Yahoo: finkconsulting SMS: +41792457333






_______________________________________________
Wireshark-users mailing list
Wireshark-users@wireshark.org
http://www.wireshark.org/mailman/listinfo/wireshark-users






















					Reply via email to