When I capture packets with tcpdump on an Ubuntu 20.04 VM running a SOCKS proxy server on port 1080, they are often larger than 1500 bytes. My network device has an MTU of 1500, so as far as I understand it, this means that they are being reassembled. Since I want to analyze the timing and size of the packets on the wire, I would like to capture them before they are reassembled, or not have them reassembled at all. Is there any way to do this, or do I need to use a completely different setup?
When I use NetfilterQueue along with iptables, the maximum packet sizes surprisingly become 1500. I don’t really understand this effect. Are the packets being disassembled or not reassembled at all?
I tried changing various options for tcpdump. However, it had no effect.
