by JoKeru

Packets larger than the MTU in tcpdump ?

The network adapter will not send frames larger than the configured MTU !

TCPdump hooks above the driver, and does not see what is sent on the wire. Rather it sees what is sent from the stack to the driver. The stack will send TCP LSO frames up to about 64K, and the adapter will segment them down to the IP stack supplied MSS.

What you are seeing is due to TCP Segmentation Offload (TSO) and TCP Large Receive Offload (LRO). TSO allows the network stack to give the driver packets larger than the MTU when transmitting, and lets the adapter segment the packets down to a connection's maximum segment size (MSS). Similarly, LRO allows the adapter (or driver) to reassemble multiple MSS sized frames into one larger frame, which is passed up to the stack. TSO and LRO provide a large CPU reduction because they decrease the effective packet rate as seen by the TCP/IP stack.

Unfortunately, TSO and LRO make it difficult to obtain an accurate network trace, since they plug into the network stack above the driver. This means that tcpdump will see packets which are larger than those which are actually transmitted and/or received on the wire. If you need an accurate trace, it is sometimes best to use a "mirror port" and another machine to do the tracing. Alternatively, ethtool -k can be used to enable or disable TSO and LRO. Note that LRO can only be controlled by ethtool using very recent versions of ethtool on fairly new Linux kernels.

[cc lang='bash']
# display
\$ ethtool -k eth0 | grep offload
tcp-segmentation-offload: on
udp-fragmentation-offload: off
generic-segmentation-offload: on
generic-receive-offload: off
large-receive-offload: off

# set
\$ ethtool -K eth0 tso off