Wireshark-users: Re: [Wireshark-users] wireshark sees jumbo TCP packets in linux
At 01:37 PM 6/26/2012, Fred Templin wrote:
>The source of the confusion turned out to be linux performance
>enhancements called Generic Segment Offload (GSO), Genereic
>Reassembly Offload (GRO) and TCP Segment Offload (TSO). These
>functions push the TCP segmentation/reassembly function down to
>the network layer driver code and somehow circumvent the packet
>capture hooks which should be showing the actual packets that
>go out on the wire instead of the jumbos.
>
>To turn these functions off, type:
>
># ethtool --offload eth0 gso off
># ethtool --offload eth0 tso off
># ethtool --offload eth0 gro off
>
>You should now see wireshark picking up packets that are no
>larger than the actual network interface MTU, i.e., the
>actual packets that go out on the wire.
>
>Have others seen this? Is there a better workaround than
>what I described above?
Yes, this is the best workaround if what you are trying to do is to make
the packets that Wireshark sees the same size as the packets that are
transmitted on the wire. However, as you note above, these are
performance enhancements. By turning them off, you lose the performance
benefits.
Why not simply capture from the wire to see what is actually transmitted
on the wire, and leave the performance enhancements on? Capturing from
the wire--that is, from a third system that is not one of the endpoints
involved in the communication--is considered by many to be a best
practice in network analysis.
Jim