LAN assembly 2 packets into 1 packets?

I have two computers A and B, there is a TCP connection between them. I use TCPdump to capture the packets.

I notice that when A sends a lot of TCP packets to B, each IP packets are 1514 bytes.

In B, it receives IP packets of size 2962. Then I checked the IPID. For example, if A sends 4 TCP packets with IPID, 1000, 1001, 1002, 1003, each of which are 1514 bytes. Then B only gets only 2 TCP packets with IPID 1000, 1002, each of which are 2962 bytes.

Does this mean LAN will assembly 2 IP packets into 1 IP packets? How is this happening? Which device does the assembly?

misteryes

Posted 2013-06-19T09:38:18.293

Reputation: 2 255

Can you include a screenshot proving an IP packet of 2962? I don't recall precisely but that may not even be possible unless perhaps if one is including the data/payload. – barlop – 2013-06-19T09:53:39.557

yes, see updates – misteryes – 2013-06-19T10:40:50.127

It could be if it was a jumbo frame, but that usually requires end to end support... – NickW – 2013-06-19T10:42:23.207

Answers

There are two possible answers:

most likely is Large Receive Offload (aka Receive Aggregation) where the NIC or driver merge packets so that there are less interrupts, less DMA/copies and less OS overheads
far less likely is an intermediate device (firewall, IPS or proxy) is proxying, and supports jumbo frames on the last hop

The answer is the packets are most likely being merged by your NIC, this happens before the data is passed up the stack so the real (wire) frames are not being seen by Wireshark.