First time here? Check out the FAQ!
THIS IS A TEST INSTANCE. Feel free to ask and answer questions, but take care to avoid triggering too many notifications.
0

Why is wireshark showing capturing frame size 16523 while network adapter is configured to 1514 bytes?

  • retag add tags

Example:

Frame 7739: **16523 bytes on wire** (132184 bits), **16523 bytes captured** (132184 bits) on interface \Device\NPF_{D50C0374-3F2F-4B7F-A765-2E3C7ABEE1A8}, id 0
    Section number: 1
    Interface id: 0 (\Device\NPF_{D50C0374-3F2F-4B7F-A765-2E3C7ABEE1A8})
    Encapsulation type: Ethernet (1)
    Arrival Time: Apr  7, 2023 13:24:20.479086000 Central Europe Daylight Time
    [Time shift for this packet: 0.000000000 seconds]
    Epoch Time: 1680866660.479086000 seconds
    [Time delta from previous captured frame: 0.000123000 seconds]
    [Time delta from previous displayed frame: 0.000123000 seconds]
    [Time since reference or first frame: 26.115296000 seconds]
    Frame Number: 7739
    Frame Length: 16523 bytes (132184 bits)
    Capture Length: 16523 bytes (132184 bits)
    [Frame is marked: False]
    [Frame is ignored: False]
    [Protocols in frame: eth:ethertype:ip:tcp:tls]
    [Coloring Rule Name: TCP]
    [Coloring Rule String: tcp]
Ethernet II, Src: VMware_xx:yy:d7 (00:yy:zz), Dst: All-HSRP-routers_35 (00:00:xx:07:yy:35)
Internet Protocol Version 4, Src: *.*.*.*, Dst: +.+.+.+.+
Transmission Control Protocol, Src Port: 52366, Dst Port: 16806, Seq: 20675212, Ack: 279996, Len: 16469
Transport Layer Security
tajci1's avatar
1
tajci1
asked 2023-04-07 11:46:46 +0000
Guy Harris's avatar
19.9k
Guy Harris
updated 2023-04-09 00:29:43 +0000
edit flag offensive 0 remove flag close merge delete

Comments

add a comment see more comments

1 Answer

0
Jaap's avatar
13.7k
Jaap
answered 2023-04-07 12:08:46 +0000
edit flag offensive 0 remove flag delete link

Comments

Thank you answering this. Is it same with sending packets? I wasn't very specific, but in my particular capture I'm seeing 16523 bytes on sending packet, not receiving. Reading your link I saw GSO feature. Is that the one?

"Generic Segmentation Offload (GSO) collectively represents Large Send Offload (LSO) and UDP Send Offload (USO).

Client drivers can offload the segmentation of TCP/UDP packets that are larger than the maximum transmission unit (MTU) of the network medium."

tajci1's avatar tajci1 (2023-04-08 06:28:49 +0000) edit

Yep, this can both be applied in the sending and receiving direction. The technique comes under various names and can be implemented at various places in the packet path from network stack to the wire. Also it can be applicable in different ways to different protocols. There's a lot of mixing and matching involved.

Jaap's avatar Jaap (2023-04-08 10:11:04 +0000) edit

Thank you. You have been very helpful.

tajci1's avatar tajci1 (2023-04-12 07:49:13 +0000) edit
add a comment see more comments

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account. This space is reserved only for answers. If you would like to engage in a discussion, please instead post a comment under the question or an answer that you would like to discuss.

Add Answer