So recently I was asked to explain why we had jumbo packets on the network when we don’t have jumbo enabled on either our network devices or hosts. Good question.
It says clearly that it is 2974 bytes on wire. Well long story short, it lies.
Turns out a feature that is on by default called “generic receive offload” glued the fragments back together before passing the frame up to pcap. So bottom line, pcap only sees what your NIC gives it so a capture is not truly a raw capture in all cases. Other links that explain it better.
It can be disabled in Linux until the next reboot with
ethtool -K eth0 gro off