Wireshark-users: Re: [Wireshark-users] tcp packets too big !?

Date: Fri, 2 Feb 2007 08:30:59 -0600



It appears to be a mis-calculation of the length.
If you subtract the sequence numbers in the first trace (2874589889 -
2874588441) you get 1448, the same value as in the second.
I don't know the reason for the miscalculation, but the actual packet
length does not exceed the MTU.

Ed Staszko
Telecomm Analyst
Mutual of Omaha



                                                                           
             "Christophe Lohr"                                             
             <Christophe.Lohr@                                             
             enst-bretagne.fr>                                          To 
             Sent by:                  wireshark-users@xxxxxxxxxxxxx       
             wireshark-users-b                                          cc 
             ounces@wireshark.                                             
             org                                                   Subject 
                                       [Wireshark-users] tcp packets too   
                                       big !?                              
             02/02/2007 07:26                                              
             AM                                                            
                                                                           
                                                                           
             Please respond to                                             
                "Community                                                 
             support list for                                              
                Wireshark"                                                 
             <wireshark-users@                                             
              wireshark.org>                                               
                                                                           
                                                                           




Hi,
  Wireshark shows (outgoing) tcp packet with a surprising size, larger than
mss...

Let's consider following "Client" and "Server":
* Server [192.168.100.17] *
# tshark -n "host 192.168.100.11 && host 192.168.100.17 && port 7575" >
server.dump
# netcat -l -p 7575 > /dev/null

* Client [192.168.100.11] *
# tshark -n "host 192.168.100.11 && host 192.168.100.17 && port 7575" >
client.dump
# netcat 192.168.100.17 7575 </dev/zero

Now, let's have a look at "server.dump" and "client.dump" files:
* client.dump *
  0.000000 192.168.100.11 -> 192.168.100.17 TCP 74 38587 > 7575 [SYN]
Seq=2874587416 Len=0 MSS=1460 TSV=237521906 TSER=0 WS=6
  0.000835 192.168.100.17 -> 192.168.100.11 TCP 74 7575 > 38587 [SYN,
ACK] Seq=2859359246 Ack=2874587417 Win=5792 Len=0 MSS=1460 TSV=1201904
TSER=237521906 WS=6
  0.000853 192.168.100.11 -> 192.168.100.17 TCP 66 38587 > 7575 [ACK]
Seq=2874587417 Ack=2859359247 Win=92 Len=0 TSV=237521907 TSER=1201904
  0.001001 192.168.100.11 -> 192.168.100.17 TCP 1090 38587 > 7575 [PSH,
ACK] Seq=2874587417 Ack=2859359247 Win=92 Len=1024 TSV=237521907
TSER=1201904
  0.001134 192.168.100.11 -> 192.168.100.17 TCP 1514 38587 > 7575 [ACK]
Seq=2874588441 Ack=2859359247 Win=92 Len=1448 TSV=237521907 TSER=1201904
  0.001336 192.168.100.17 -> 192.168.100.11 TCP 66 7575 > 38587 [ACK]
Seq=2859359247 Ack=2874588441 Win=123 Len=0 TSV=1201905 TSER=237521907
  0.001348 192.168.100.11 -> 192.168.100.17 TCP 2962 38587 > 7575 [ACK]
Seq=2874589889 Ack=2859359247 Win=92 Len=2896 TSV=237521907 TSER=1201905
  (..)

Last TCP packet have Len=2896 !!!???

And now, packets received:
* server.dump *
  0.000000 192.168.100.11 -> 192.168.100.17 TCP 38587 > 7575 [SYN]
Seq=2874587416 Len=0 MSS=1460 TSV=237521906 TSER=0 WS=6
  0.000525 192.168.100.17 -> 192.168.100.11 TCP 7575 > 38587 [SYN, ACK]
Seq=2859359246 Ack=2874587417 Win=5792 Len=0 MSS=1460 TSV=1201904
TSER=237521906 WS=6
  0.000764 192.168.100.11 -> 192.168.100.17 TCP 38587 > 7575 [ACK]
Seq=2874587417 Ack=2859359247 Win=92 Len=0 TSV=237521907 TSER=1201904
  0.001016 192.168.100.11 -> 192.168.100.17 TCP 38587 > 7575 [PSH, ACK]
Seq=2874587417 Ack=2859359247 Win=92 Len=1024 TSV=237521907 TSER=1201904
  0.001035 192.168.100.17 -> 192.168.100.11 TCP 7575 > 38587 [ACK]
Seq=2859359247 Ack=2874588441 Win=123 Len=0 TSV=1201905 TSER=237521907
  0.001266 192.168.100.11 -> 192.168.100.17 TCP 38587 > 7575 [ACK]
Seq=2874588441 Ack=2859359247 Win=92 Len=1448 TSV=237521907 TSER=1201904
  0.001285 192.168.100.17 -> 192.168.100.11 TCP 7575 > 38587 [ACK]
Seq=2859359247 Ack=2874589889 Win=168 Len=0 TSV=1201905 TSER=237521907
  0.001516 192.168.100.11 -> 192.168.100.17 TCP 38587 > 7575 [ACK]
Seq=2874589889 Ack=2859359247 Win=92 Len=1448 TSV=237521907 TSER=1201905
  0.001531 192.168.100.17 -> 192.168.100.11 TCP 7575 > 38587 [ACK]
Seq=2859359247 Ack=2874591337 Win=213 Len=0 TSV=1201905 TSER=237521907
  0.001535 192.168.100.11 -> 192.168.100.17 TCP 38587 > 7575 [ACK]
Seq=2874591337 Ack=2859359247 Win=92 Len=1448 TSV=237521907 TSER=1201905
  (..)

No trace of large TCP packets...

I can't understand how "Client" do to send TCP packets larger than MTU.

Does Wireshark dump real (outgoing) packets?

Note that "Client" and "Server" are Linux 2.6.18/Fedora4.

Many thanks.
Regards

_______________________________________________
Wireshark-users mailing list
Wireshark-users@xxxxxxxxxxxxx
http://www.wireshark.org/mailman/listinfo/wireshark-users



This e-mail and any files transmitted with it are confidential and are solely for the use of the addressee.  It may contain material that is legally privileged, proprietary or subject to copyright belonging to Mutual of Omaha Insurance Company and its affiliates, and it may be subject to protection under federal or state law.  If you are not the intended recipient, you are notified that any use of this material is strictly prohibited.  If you received this transmission in error, please contact the sender immediately by replying to this e-mail and delete the material from your system.  Mutual of Omaha Insurance Company may archive e-mails, which may be accessed by authorized persons and may be produced to other parties, including public authorities, in compliance with applicable laws.