I'm looking into a Wireshark record provided by someone, to analyze something for them. Wireshark has conveniently reassembled 3 TCP segments that all transported a single TLS packet. The TLS packet could not fit into the 1460 bytes MSS, therefore the host made 3 TCP segments out of it and wireshark has detected this:
[3 Reassembled TCP Segments (5914 bytes): #8(1440), #10(1440), #12(3034)]
[Frame: 8, payload: 0-1439 (1440 bytes)]
[Frame: 10, payload: 1440-2879 (1440 bytes)]
[Frame: 12, payload: 2880-5913 (3034 bytes)]
[Segment count: 3]
[Reassembled TCP length: 5914]
[Reassembled TCP Data: ... ]
This is great, but what I don't understand is why the 3rd segment has a size that exceeds the MSS of this TCP connection, which was negotiated at the SYN/SYN+ACK at 1460 bytes.
Best Answer
I subsequently found the reason myself: This is due to Large receive offload as explained at http://rtoodtoo.net/generic_segmentation_offload_and_wireshark/. The host's network interface card or kernel collected multiple TCP segments and merged it into a single large segment before passing to the userspace.
So it appeared to wireshark when it recorded the traffic as a single TCP segment/IP packet that exceeds the allowed MTU and MSS.