Unusual TCP/IP Packet Size

Doug Hardie bc979 at lafn.org
Fri Feb 8 11:01:49 UTC 2013

Monitoring a tcpdump between two systems, a FreeBSD 9.1 system has the following interface:

msk0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
	ether 00:11:2f:2a:c7:03
	inet netmask 0xffffff00 broadcast
	inet6 fe80::211:2fff:fe2a:c703%msk0 prefixlen 64 scopeid 0x1 
	media: Ethernet autoselect (100baseTX <full-duplex,flowcontrol,rxpause,txpause>)
	status: active

It sent the following packet:  (data content abbreviated)

02:14:42.081617 IP > Flags [P.], seq 930:4876, ack 846, win 1040, options [nop,nop,TS val 401838072 ecr 920110183], length 3946
	0x0000:  4500 0f9e ea89 4000 4006 2a08 0a00 01c7  E..... at .@.*.....
	0x0010:  0a00 0102 01bb ef4a ece1 680b ae37 1bbc  .......J..h..7..
	0x0020:  8018 0410 3407 0000 0101 080a 17f3 8ff8  ....4...…….

The indicated packet length is 3946 and the load of data shown is that size.  The MTU on both interfaces is 1500.  The receiving system received 3 packets.  There is a router and switch between them.  One of them fragmented that packet. This is part of a SSL/TLS exchange and one side or the other is hanging on this and just dropping the connection.  I suspect the packet size is the issue.  ssldump complains about the packet too and stops monitoring.  Could this possibly be related to the hardware checksums?

More information about the freebsd-questions mailing list