Free Wireshark Training Course Online

Take a free Wireshark Jumpstart training class online at

Tuesday, September 7, 2010

Analyzing HUGE Packets - TSO/LRO

Recently I received a trace file from a customer having performance problems. One of the issues in the trace file was a series of packets with large length values such as 32,885 or 35,094 or 61,557.

I've been seeing this characteristic more and more often when analyzing trace files.

This is not a situation of jumbo frames.

This is a situation called TCP Segmentation Offload (or TSO)/Large Receive Offload (LRO).

TSO/LRO are hardware functions. A host with TSO-enabled hardware sends TCP data to the NIC without segmenting the data in software. The NIC will perform TCP segmentation. NICs supporting LRO receive packets and reassemble them before passing the data on to the local software.

When Wireshark is loaded and capturing on a system that performs TSO/LRO, Wireshark may show you these really large frames - it's not lying - that is the size of the frame before segmentation has occurred (in the case of outbound packets handled with TSO) or after reassembly has occurred (in the case of inbound packets handled with LRO).

If you want to see the packets as they actually look when traversing the network - capture them at a location along the path using a FDX tap or port spanning/monitoring. The frames should then be the standard size.

Remember to check out the Wireshark Certified Network Analyst program at!