First time here? Check out the FAQ!
THIS IS A TEST INSTANCE. Feel free to ask and answer questions, but take care to avoid triggering too many notifications.
Ask Your Question
0

TCP length in capture from aggregating TAP exceeds MTU

Background
I bought a used aggregating TAP (a Network Instruments Aggregator nTAP with a 512MB buffer) and set it up between my cable modem and my router. I've got a dual-interface motherboard on my desktop (the machine running wireshark): one is an Intel I218-V and the other is an Intel I211. The latter is connected to one of the TAP's two "analyzer" ports (these are simplex ports that send only). The OS on the desktop is Linux. The driver for the I211 interface (labeled enp8s0 by the OS) is the igb module.

Problem
I put the capturing interface into promiscuous mode and recorded a file being uploaded via HTTP to a remote server. TCP segment length from the sender starts at 1448, increases to 2896, then tops out at 8688KiB, with ACKs that don't correspond to sequence numbers. I understand that segment lengths well in excess of standard MTU are often an issue with misconfigured ethernet interfaces on desktops/laptops.

Question
If a misconfigured interface is, in fact, the problem, where can I go to find more information on how to configure the interface to act as a simple drain for the aggregating TAP which will act as little more than a recording device for Wireshark? I read this post where OP attempts to remedy things with ethtool, but more experienced users take exception with his methods.

chb's avatar
1
chb
asked 2019-11-08 15:22:23 +0000, updated 2019-11-08 15:39:49 +0000
edit flag offensive 0 remove flag close merge delete

Comments

Can you share a capture file, use a public share, e.g. Google Drive, DropBox etc?

grahamb's avatar grahamb (2019-11-10 17:27:04 +0000) edit
more
  • delete
add a comment see more comments

1 Answer

0

Not enough digging, I guess. I followed the instructions presented at packet-foo.com for network cards, borrowing bits and pieces from the SecurityOnion page that it refers to.

Big thanks to Jasper!

chb's avatar
1
chb
answered 2019-11-08 16:24:09 +0000
edit flag offensive 0 remove flag delete link
more

Comments

add a comment see more comments

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account. This space is reserved only for answers. If you would like to engage in a discussion, please instead post a comment under the question or an answer that you would like to discuss.

Add Answer