Wireshark-users: Re: [Wireshark-users] Can Anyone Tell Me What the HELL is Going on with My Captu
From: Guy Harris <guy@xxxxxxxxxxxx>
Date: Fri, 30 Jan 2009 10:29:36 -0800

On Jan 30, 2009, at 10:00 AM, Robinson, Eric wrote:

Today I captured an exchange between a client and a tomcat server using
ethereal-gnome-0.99.0-EL4.2 on the server (a Linux box).

The trace shows the client connecting to the server and saying "My MSS
is 1460" which is of course perfectly normal.

But then I see several 4000+ byte frames going from the server to the
client. Yes, frames. The MTU on the interface (bond0) is only 1500. Can
anyone tell me how this is possible?

TCP segmentation offloading?

Is Ethereal is just acting up?

Unlikely - it just shows what it gets from the file, which is what came from libpcap, which is what came from the PF_PACKET socket libpcap opened.

I know this is technically the WireShark list, not the Ethereal list,
but I was hoping it is still the right place to ask.

"Ethereal" is the name Wireshark had before it got renamed; they're the same program. Thus, there are no "Ethereal" lists separate from "Wireshark" lists (there are separate archives, for historical and possibly legal/ownership reasons).