Get plugged in for fast training on network troubleshooting and security. The All Access Pass online training system provides a range of troubleshooting, analysis and security courses on-demand.
Analyzing HUGE Packets - TSO/LRO
Recently I received a trace file from a customer having performance problems.
One of the issues in the trace file was a series of packets with large length
values such as 32,885 or 35,094 or 61,557.
I've been seeing this characteristic more and more often when analyzing trace
This is not a situation of jumbo frames.
This is a situation called TCP Segmentation Offload (or TSO)/Large Receive
TSO/LRO are hardware functions. A host with TSO-enabled hardware sends TCP
data to the NIC without segmenting the data in software. The NIC will perform
TCP segmentation. NICs supporting LRO receive packets and reassemble them
before passing the data on to the local software.
When Wireshark is loaded and capturing on a system that performs TSO/LRO,
Wireshark may show you these really large frames - it's not lying - that is the size
of the frame before segmentation has occurred (in the case of outbound packets
handled with TSO) or after reassembly has occurred (in the case of inbound
packets handled with LRO).
If you want to see the packets as they actually look when traversing the network -
capture them at a location along the path using a FDX tap or port
spanning/monitoring. The frames should then be the standard size.
Remember to check out the Wireshark Certified Network Analyst program at
Sign up for the newsletter to receive blog and schedule update information.