[Linux] Wireshark 抓到超過 MTU 的封包.

在 Linux Wireshark 有時候會抓到比 MTU Size 更大的封包, ex: 2336, 5160 .. etc.

這個問題源自於 Linux NIC driver enable GRO (Generic Receive Offload), 這功能會將數個封包組合成一個大封包以增加速度.

這時可以用 ethtool 去修改網路卡的參數

使用 ethtool -k <interface> 查看狀況.

[TEXT]

# ethtool -k eth0
Features for eth0:
rx-checksumming: on
tx-checksumming: off
tx-checksum-ipv4: off
tx-checksum-ip-generic: off [fixed]
tx-checksum-ipv6: off [fixed]
tx-checksum-fcoe-crc: off [fixed]
tx-checksum-sctp: off [fixed]
scatter-gather: off
tx-scatter-gather: off
tx-scatter-gather-fraglist: off [fixed]
tcp-segmentation-offload: off
tx-tcp-segmentation: off
tx-tcp-ecn-segmentation: off [fixed]
tx-tcp6-segmentation: off [fixed]
udp-fragmentation-offload: off [fixed]
generic-segmentation-offload: off [requested on]
generic-receive-offload: on
large-receive-offload: off [fixed]
rx-vlan-offload: on
tx-vlan-offload: on
ntuple-filters: off [fixed]
receive-hashing: off [fixed]
highdma: off [fixed]
rx-vlan-filter: off [fixed]
vlan-challenged: off [fixed]
tx-lockless: off [fixed]
netns-local: off [fixed]
tx-gso-robust: off [fixed]
tx-fcoe-segmentation: off [fixed]
fcoe-mtu: off [fixed]
tx-nocache-copy: off
loopback: off [fixed]
rx-fcs: off
rx-all: off
[/TEXT]

我們發現 generic-receive-offload: on
然後可以用這個命令
# ethtool –offload eth0 gro off
關掉GRO, 這樣抓下來的封包就會正常了.

ref.

Re: [Wireshark-users] wireshark sees jumbo TCP packets in linux

Comments

comments

Related Posts

Leave a Comment


NOTE - You can use these HTML tags and attributes:
<a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>