Wireshark's reassembled PDU consists of TCP segment size > MSS?

tcp wireshark tls
5,144

I subsequently found the reason myself: This is due to Large receive offload as explained at http://rtoodtoo.net/generic_segmentation_offload_and_wireshark/. The host's network interface card or kernel collected multiple TCP segments and merged it into a single large segment before passing to the userspace.

So it appeared to wireshark when it recorded the traffic as a single TCP segment/IP packet that exceeds the allowed MTU and MSS.

Share:
5,144

Related videos on Youtube

Johannes Schaub - litb
Author by

Johannes Schaub - litb

I'm a C++ programmer, interested in linux, compilers and toolchains and generally the embedded software stack. Standardese answers: How does boost::is_base_of work? Injected class name and constructor lookup weirdness What happens when op[] and op T* are both there. FAQ answers: Where to put "template" and "typename" on dependent names (now also covers C++11) Undefined behavior and sequence points Favourite answers: Plain new, new[], delete and delete[] in a nutshell. Assertion failure on T(a) but allowing T t(a) - forbids (accidental) temporaries. Explicitly instantiating a typedef to a class type Doing RAII the lazy way. C for-each over arrays. inline and the ODR in C++, and inline in C99

Updated on September 18, 2022

Comments

  • Johannes Schaub - litb
    Johannes Schaub - litb over 1 year

    I'm looking into a Wireshark record provided by someone, to analyze something for them. Wireshark has conveniently reassembled 3 TCP segments that all transported a single TLS packet. The TLS packet could not fit into the 1460 bytes MSS, therefore the host made 3 TCP segments out of it and wireshark has detected this:

    [3 Reassembled TCP Segments (5914 bytes): #8(1440), #10(1440), #12(3034)]
    [Frame: 8, payload: 0-1439 (1440 bytes)]
    [Frame: 10, payload: 1440-2879 (1440 bytes)]
    [Frame: 12, payload: 2880-5913 (3034 bytes)]
    [Segment count: 3]
    [Reassembled TCP length: 5914]
    [Reassembled TCP Data: ... ]

    This is great, but what I don't understand is why the 3rd segment has a size that exceeds the MSS of this TCP connection, which was negotiated at the SYN/SYN+ACK at 1460 bytes.

Recents

Why Is PNG file with Drop Shadow in Flutter Web App Grainy?
How to troubleshoot crashes detected by Google Play Store for Flutter app
Cupertino DateTime picker interfering with scroll behaviour
Why does awk -F work for most letters, but not for the letter "t"?
Flutter change focus color and icon color but not works
How to print and connect to printer using flutter desktop via usb?
Critical issues have been reported with the following SDK versions: com.google.android.gms:play-services-safetynet:17.0.0
Flutter Dart - get localized country name from country code
navigatorState is null when using pushNamed Navigation onGenerateRoutes of GetMaterialPage
Android Sdk manager not found- Flutter doctor error
Flutter Laravel Push Notification without using any third party like(firebase,onesignal..etc)
How to change the color of ElevatedButton when entering text in TextField

Related

TCP Server sends [ACK] followed by [PSH,ACK]
How to filter out "TCP Fast Retransmission" in Wireshark
what does this wireshark info refer to
Mapping HTTP requests to HTTP responses
how to capture only SMTP using latest Wireshark 2.2.6 or later
TCP Dup ACK/Retransmission, bad configuration?
Capture TCP communication on a specific port using wireshark
How to use Charles as proxy to decrypt HTTPS messages in Wireshark?
Wireshark - How do i filter the TCP[RST] packet?
How can I see 127.0.0.1 traffic on Windows using Wireshark?