I am analyzing a log I captured with WireShark and I was surprised to find that one of the applications we use in-house that only talks to another host (both connected to a private, internal hub) sends/receives huge frames (on the order of 15K). I thought the max was 9K for jumbo frames. How can one generate these frames? The app uses tcp.
The app uses tcp.
...and the Ethernet adapter might be doing Large Segment Offload or Large Receive Offload, in which case the packets that the capture mechanism used by libpcap/WinPcap (which tcpdump/WinDump, Wireshark, etc. use to capture traffic) provides to the library and application might be "fake" packets corresponding to more than one packet "on the wire".