Wireshark-dev: Re: [Wireshark-dev] Packets more than MTU are not getting captured

From: Anders Broman <anders.broman@xxxxxxxxxxxx>
Date: Tue, 13 Jan 2015 12:27:35 +0000
Possibly due to Offloading set on the interface http://blog.securityonion.net/2011/10/when-is-full-packet-capture-not-full.html
Regards
Anders

-----Original Message-----
From: wireshark-dev-bounces@xxxxxxxxxxxxx [mailto:wireshark-dev-bounces@xxxxxxxxxxxxx] On Behalf Of Vishnu Bhatt
Sent: den 13 januari 2015 11:04
To: Developer support list for Wireshark
Subject: Re: [Wireshark-dev] Packets more than MTU are not getting captured

My real question is, if MTU is 1500bytes then how come in some machines tcpdump captures frames greater than MTU and in some machines it captures maximum MTU size frames.

Also at which level tcpdump captures frames? Before bytes are passed to the Ethernet level or before that?

-----Original Message-----
From: wireshark-dev-bounces@xxxxxxxxxxxxx [mailto:wireshark-dev-bounces@xxxxxxxxxxxxx] On Behalf Of Guy Harris
Sent: Tuesday, January 13, 2015 2:10 PM
To: Developer support list for Wireshark
Subject: Re: [Wireshark-dev] Packets more than MTU are not getting captured


On Jan 12, 2015, at 10:27 PM, Vishnu Bhatt <vishnu.bhatt@xxxxxxxxxxx> wrote:

> I am capturing through tcpdump and then opening the file using Wireshark. But I can see only frames of 1514 bytes whereas data up to 3000 bytes are present.

What do you mean by "data up to 3000 bytes are present"?

The maximum *link-layer* packet size on Ethernet, without jumbo frames, is 1514 bytes if the packet doesn't include the FCS (1518 bytes if it does, but, on most systems, the FCS isn't captured).

However, a packet at a protocol layer *above* the link layer can be bigger than the maximum link-layer packet size; its contents will just have to be sent in multiple link-layer packets (frames).

For example, you can send an IPv4 datagram with 3000 bytes of payload; assuming no IP options are added to the packet, it will be fragmented at the IP layer into two IPv4 fragments with 1480 bytes of payload (1480 bytes of payload + 20 bytes of IPv4 header + 14 bytes of Ethernet header = 1514 bytes) and one IPv4 fragment with 40 bytes of payload.

Or you can send an (SMB, AFP, NFS) write request or read reply with 3000 bytes of data over TCP; it will be sent in multiple TCP segments.

In both cases, however, you will only see *Ethernet frames* of 1514 bytes or fewer.  However, Wireshark may be able to reassemble fragmented IPv4/IPv6 datagrams, or packets of protocols running on top of TCP, and show them to you, constructed from their component Ethernet frames.
___________________________________________________________________________
Sent via:    Wireshark-dev mailing list <wireshark-dev@xxxxxxxxxxxxx>
Archives:    http://www.wireshark.org/lists/wireshark-dev
Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev
             mailto:wireshark-dev-request@xxxxxxxxxxxxx?subject=unsubscribe
"DISCLAIMER: This message is proprietary to Aricent and is intended solely for the use of the individual to whom it is addressed. It may contain privileged or confidential information and should not be circulated or used for any purpose other than for what it is intended. If you have received this message in error, please notify the originator immediately. If you are not the intended recipient, you are notified that you are strictly prohibited from using, copying, altering, or disclosing the contents of this message. Aricent accepts no responsibility for loss or damage arising from the use of the information transmitted by this email including damage from virus."
___________________________________________________________________________
Sent via:    Wireshark-dev mailing list <wireshark-dev@xxxxxxxxxxxxx>
Archives:    http://www.wireshark.org/lists/wireshark-dev
Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev
             mailto:wireshark-dev-request@xxxxxxxxxxxxx?subject=unsubscribe