Wireshark's reassembled PDU consists of TCP segment size > MSS?
I subsequently found the reason myself: This is due to Large receive offload as explained at http://rtoodtoo.net/generic_segmentation_offload_and_wireshark/. The host's network interface card or kernel collected multiple TCP segments and merged it into a single large segment before passing to the userspace.
So it appeared to wireshark when it recorded the traffic as a single TCP segment/IP packet that exceeds the allowed MTU and MSS.
Related videos on Youtube
Johannes Schaub - litb
I'm a C++ programmer, interested in linux, compilers and toolchains and generally the embedded software stack. Standardese answers: How does boost::is_base_of work? Injected class name and constructor lookup weirdness What happens when op[] and op T* are both there. FAQ answers: Where to put "template" and "typename" on dependent names (now also covers C++11) Undefined behavior and sequence points Favourite answers: Plain new, new[], delete and delete[] in a nutshell. Assertion failure on T(a) but allowing T t(a) - forbids (accidental) temporaries. Explicitly instantiating a typedef to a class type Doing RAII the lazy way. C for-each over arrays. inline and the ODR in C++, and inline in C99
Updated on September 18, 2022Comments
-
Johannes Schaub - litb over 1 year
I'm looking into a Wireshark record provided by someone, to analyze something for them. Wireshark has conveniently reassembled 3 TCP segments that all transported a single TLS packet. The TLS packet could not fit into the 1460 bytes MSS, therefore the host made 3 TCP segments out of it and wireshark has detected this:
[3 Reassembled TCP Segments (5914 bytes): #8(1440), #10(1440), #12(3034)] [Frame: 8, payload: 0-1439 (1440 bytes)] [Frame: 10, payload: 1440-2879 (1440 bytes)] [Frame: 12, payload: 2880-5913 (3034 bytes)] [Segment count: 3] [Reassembled TCP length: 5914] [Reassembled TCP Data: ... ]
This is great, but what I don't understand is why the 3rd segment has a size that exceeds the MSS of this TCP connection, which was negotiated at the SYN/SYN+ACK at 1460 bytes.