cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2094
Views
1
Helpful
5
Replies

Why packet size in wireshark is too large (16kbyte)

dragonhunt9111
Level 1
Level 1

Dear expert and friend,

My customer sends me a pcap file, which is captured on his laptop when accessing internet.

I dont know why in capture file, there are lot of packet with more than 16000 bytes. It is too large, At least it will be devided into smaller. It makes me lot headache.

wireshark1.png

Someone please help to explain this. Thank you a lot

5 Replies 5

Hi

 There is not 16k bytes packet. The larger it can be is 9k.

 The first 16k that is highlighted is related to how many bytes crossed the interface 0. It is not the size of the packet.

 The second and third does not mention if byes or bits. It can be bits. TLS when transfering the certificate usually the packet is fragmented due the amount of data. But, either will be send in 1500 bytes standard or 9k bytes using jumbo frames. 

 No way you are using 16k bytes packets

dragonhunt9111
Level 1
Level 1

Dear Miranda,

I think the second and third is in byte , because when i click to TLS section, it shows byte like this my pic. I upload a pcap file, pls review it, thanks you

dragonhunt9111_0-1686111897767.png

My file is here https://drive.google.com/file/d/18AcP54XHUgUAJC9fnI6xVazGplYk7LIu/view?usp=drive_link

 

Yeah, I saw the file here and it is real, the size is actually 16k. But, this capture was performed on the PC side. If you do the same capture on the network side there will be no packet with 16k size. It will be 1500 or 9k if you have jumbo frame enabled on the network device.

 I have found an explanation about the machine being generating a packet with this extra size:

 "...Probably you captured on the host that transmitted the oversized packet, and TCP Large Segment Offload is enabled. (Sometimes abbreviated TSO and sometimes LSO.) The operating system is passing packets larger than MTU to the network adapter, and the network adapter driver is breaking them up so that they fit within the MTU. If you capture from the wire, instead of from an endpoint involved in the communication, you will see that the packets are correctly sized when they are transmitted. This is one reason of several to capture from the wire, instead of on an endpoint.

TSO is a performance enhancement, but you can turn it off, in which case, the OS will no longer generate oversized frames.

To show the size of the TCP segment, add a custom column using the field "tcp.len".,,""

https://osqa-ask.wireshark.org/questions/24699/tcp-packet-length-was-much-greater-than-mtu/

 

Joseph W. Doherty
Hall of Fame
Hall of Fame

BTW, you can have 16k packets, as packets can be as large as 64k, regardless of frame size.

Normally, though, sender will set packet size such that it can be contained within a single frame (this to avoid all the issues that can arise due to dealing with fragmentation - which, also BTW, aren't exactly all the same as when a transit L3 hop fragments).

What I find "curious" is a 16k frame if this capture is from traffic crossing the Internet.  I believe it's possibly for the sender to send such sized frames, but I also believe it's unlikely an Internet receiver would actually receive such sized frames.  If that's the case here, I'm wondering if Wireshark is "creating" a logical frame after reassembling the packet.

TLS, this packet is certificate ?

Review Cisco Networking for a $25 gift card