TCP Packets Not Captured Size

Parent Previous Next

TCP Dup Ack Not Captured Packets


If most "not captured packets' frame size' is over traditional MTU size 1500, it may indicate path MTU is the possible cause of lost packets.


How to verify path MTU:


Linux / macOS


Use ping with DF flag (-M do) and gradually increase size:


ping -M do -s 1472 <destination>



-M do → don’t fragment




In some cases, you may see extremely large size packets in captured network trace.



Packet Aggregation (Coalescing) by NIC or OS


Many modern NICs and OS stacks support:


TCP Segmentation Offload (TSO) / Large Send Offload (LSO)


Large Receive Offload (LRO) / Receive Side Coalescing (RSC)


Instead of showing each 1500-byte (or MTU-sized) packet, your capture tool may display one giant “packet” (e.g., 64 KB or more), which is actually multiple packets bundled together by the NIC driver before Wireshark/tcpdump sees them.


This is especially common if you’re capturing on the sender/receiver host itself, not on a tap/span port.

www.traceinside.com