在 Linux Wireshark 有時候會抓到比 MTU Size 更大的封包, ex: 2336, 5160 .. etc.
這個問題源自於 Linux NIC driver enable GRO (Generic Receive Offload), 這功能會將數個封包組合成一個大封包以增加速度.
這時可以用 ethtool 去修改網路卡的參數
使用 ethtool -k <interface> 查看狀況.
[TEXT]
# ethtool -k eth0
Features for eth0:
rx-checksumming: on
tx-checksumming: off
tx-checksum-ipv4: off
tx-checksum-ip-generic: off [fixed]
tx-checksum-ipv6: off [fixed]
tx-checksum-fcoe-crc: off [fixed]
tx-checksum-sctp: off [fixed]
scatter-gather: off
tx-scatter-gather: off
tx-scatter-gather-fraglist: off [fixed]
tcp-segmentation-offload: off
tx-tcp-segmentation: off
tx-tcp-ecn-segmentation: off [fixed]
tx-tcp6-segmentation: off [fixed]
udp-fragmentation-offload: off [fixed]
generic-segmentation-offload: off [requested on]
generic-receive-offload: on
large-receive-offload: off [fixed]
rx-vlan-offload: on
tx-vlan-offload: on
ntuple-filters: off [fixed]
receive-hashing: off [fixed]
highdma: off [fixed]
rx-vlan-filter: off [fixed]
vlan-challenged: off [fixed]
tx-lockless: off [fixed]
netns-local: off [fixed]
tx-gso-robust: off [fixed]
tx-fcoe-segmentation: off [fixed]
fcoe-mtu: off [fixed]
tx-nocache-copy: off
loopback: off [fixed]
rx-fcs: off
rx-all: off
[/TEXT]
我們發現 generic-receive-offload: on
然後可以用這個命令
# ethtool –offload eth0 gro off
關掉GRO, 這樣抓下來的封包就會正常了.
ref.
Re: [Wireshark-users] wireshark sees jumbo TCP packets in linux
發佈留言