How did this jumbo packet get here?

So recently I was asked to explain why we had jumbo packets on the network when we don’t have jumbo enabled on either our network devices or hosts.  Good question.

capture

 

It says clearly that it is 2974 bytes on wire.   Well long story short, it lies.

Turns out a feature that is on by default called “generic receive offload” glued the fragments back together before passing the frame up to pcap.  So bottom line, pcap only sees what your NIC gives it so a capture is not truly a raw capture in all cases.  Other links that explain it better.

http://blog.securityonion.net/2011/10/when-is-full-packet-capture-not-full.html

https://lwn.net/Articles/358910/

It can be disabled in Linux until the next reboot with

ethtool -K eth0 gro off
Advertisements
This entry was posted in Uncategorized. Bookmark the permalink.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s