Today, we will use Wireshark to examine packets. There is an interesting scenario that you may encounter. If you capture the 3-way handshake of your traffic, you will see the MSS (Maximum Segment Size) value. This value represents the negotiated amount of bytes for the TCP payload. Referring to the diagram below, the MSS value should be 947. However, please check the TCP length column. Why is it greater than the negotiated MSS value? We will explore TCP Large Segment Offload (TSO) to answer this question.
TCP Large Segment Offload
If TSO is enabled on the transmission path, the NIC divides larger data chunks into TCP segments. If TSO is disabled, the CPU performs segmentation for TCP/IP.
TSO reduces CPU overhead by relying on the network interface controller to segment the data, and then add the TCP, IP, and data link layer protocol headers to each segment. This process relieves the CPU from having to break the segments before sending the data to the NIC.
Solution
We should be sure where captue is taken before NIC or after NIC. If you capture traffic on CPU and TSO is enabled, this tcp length value can be seen more than negotiated mss value. In such environment, yo may mirrror the traffic to capture of wire traffic. Of course, there are some methods to disable TSO, but this can cause high usage of CPU. Please check the bottom link of this post for broadcam how to configure TSO . There are also configuration methods for other opeating system.
As a result, when you see such output in your wireshark, you are now why aware why this happens.
Resources:
https://my.f5.com/manage/s/article/K15609
https://knowledge.broadcom.com/external/article/318877/understanding-tcp-segmentation-offload-t.html