I have a setup as below.
[ Host A ] <-> [Rtr-A] <-> [Rtr-M] <-> [Rtr-B] <-> [ Host B]
I have set MTU of out interface of Rtr-A interface ( towards 'Rtr-M' ) to 600 I am capturing packets from 'Host A' and 'Rtr-A'. I have sent a data of size 1000 from 'Host A' to 'Host B'. While looking at the packets captured, I can see that ICMP packet with fragmentation required came from Rtr-A to 'Host A' and after that packet from Host A is still 1000 bytes where as the packet reached in Rtr-A is smaller chunks. Which means I assume that after packet is captured from 'Host A', it is fragmented.
Is this expected behaviour ?. Is there any way I can capture fragmented packet from 'Host A' itself.
~S
Yes, this is normal and expected behavior when you capture locally. If you want to see the packets as they appear on the wire, then you'll need to capture externally using a TAP, the SPAN port of a switch or a hub if you can find one.
A good article I recommend reading is Jasper Bongertz's "The drawbacks of local packet captures", where this very issue is mentioned in "Sideeffect #2 -Woah, BIG packets! And small ones, too!". You might also want to refer to the Wireshark Ethernet capture setup wiki page.