windows下wireshark抓包经常会出现"TCP segment of a reassembled PDU"提示:
可通过wireshark的 Edit --> Preferences --> Protocols/TCP --> Allow subdissector to reassemble TCP streams 取消勾选该选项可消除提示:
网上大部分转载文章都在争论显示TCP segment of a reassembled PDU的ACK序号是一样的,所以显示提示,其实与ACK没啥关系。
问题的关键在于报文长度2194字节,已超出MTU的1500大小,所以提示TCP segment。
MTU Max Transmit Unit,1500,可通过ifconfig查看
MSS Max Segment Size,1460=1500-20-20
PDU Protocol Data Unit
NIC传输的最大报文长度为1514字节=MTU+Ether=1500+14
那问题来了,2194字节报文为什么是正常的,为何没有经过IP分片?
因为现代OS支持网络分载(TSO)功能,由NIC代替CPU实现packet的分段和合并,节省系统资源,让系统处理更多的连接。
TSO TCP Segment Offload
LSO Large Segment Offload
GSO Generic Segment Offload
LRO Large Receive Offload
RSC Receive Segment Coalescing
发送过程:
Many operating systems and NIC drivers support TCP Segmentation Offload (TSO) aka Large Segment Offload (LSO) aka Generic Segment Offload (GSO). What this means is that the TCP stack sends a chunk of data for the NIC to break up into Maximum Segment Size (MSS) pieces to send on the network. TCP might hand the NIC 16k of data and the NIC will break it into MSS sized bites: 11 segments of 1460 bytes and one segment of the remaining 324 bytes. This offloads the task to the NIC and saves overhead on the host’s resources. It’s a performance thing.
当TCP协议栈发送大块数据时,由NIC来进行分段。由于适配器硬件完成数据分段的速度比操作系统软件快得多,此功能可能会提高传输性能。此外,适配器使用的 CPU 资源较少。
接收过程:
Large Receive Offload (LRO) or Receive Segment Coalescing (RSC). The is the same thing but in reverse. The NIC coalesces TCP segments it receives from a remote host into larger packets before sending them up to the TCP stack.
过程与发送相反,NIC会将接收到的数据合并成大的数据包,然后发送至TCP/IP协议栈。如图wireshark工作在NIC和协议栈之间,抓取的是网卡上的数据,此时数据包长度可能大于MTU。
参考链接:
http://packetbomb.com/how-can-the-packet-size-be-greater-than-the-mtu/
http://rtodto.net/generic_segmentation_offload_and_wireshark/