How did this jumbo packet get here?

So recently I was asked to explain why we had jumbo packets on the network when we don’t have jumbo enabled on either our network devices or hosts.  Good question.



It says clearly that it is 2974 bytes on wire.   Well long story short, it lies.

Turns out a feature that is on by default called “generic receive offload” glued the fragments back together before passing the frame up to pcap.  So bottom line, pcap only sees what your NIC gives it so a capture is not truly a raw capture in all cases.  Other links that explain it better.

It can be disabled in Linux until the next reboot with

ethtool -K eth0 gro off
This entry was posted in Uncategorized. Bookmark the permalink.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s