LSO is used by modern operating systems like GNU/Linux. LSO is a performance capability where TCP segments, when transmitted from the network stack to the network adapter, melted to a large segment, often bigger then the MTU from the network adapter. This behaviour speeds up the transition a lot. The opposite of LSO (Large Send Offload) is called LRO (Large Receive Offload).

LSO often causes confusion, if network sniffing is not done directly from wire. Because tcpdump and wireshark are showing heavily overlength packets if a TCP stream is captured on a adapter connected to a Linux-Box.

LSO and LRO are implemented in the Linux kernel as TSO and GSO/GRO.

Your are able to deactivate this behaviour, then your network capture looks more like wiretapping. The following commands are executed as root on Linux 4.9, with wlp2s0 as the (wireless) network device.

check the state for this capabilities:

# ethtool --show-offload wlp2s0 | grep offload
tcp-segmentation-offload: off
udp-fragmentation-offload: off [fixed]
generic-segmentation-offload: on
generic-receive-offload: on
large-receive-offload: off [fixed]
rx-vlan-offload: off [fixed]
tx-vlan-offload: off [fixed]
l2-fwd-offload: off [fixed]
hw-tc-offload: off [fixed]

Obviously tcp-segmentation-offload (TSO) is not in use, but GSO generic-segmentation-offload and GRO generic-receive-offload are.

To disable GSO and GRO execute the following command

# ethtool -K wlp2s0 gro off
# ethtool -K wlp2s0 gso off

further reading:



Wireshark-Wiki (example did not work for me)

Next post: full disk encryption on debian 9

Previous post: Der Traum vom l├╝fterlosen PC