- TCP MSS operates at Layer 4. It is 40 bytes lower than the IP MTU as it does not consider headers (20-byte IP and 20-byte TCP).
- IP MTU operates at Layer 3. It is the maximum size a packet can be before it needs to be fragmented (or dropped if the df-bit is set).
- Ethernet MTU (Layer 2) - 1500 bytes, excluding the header and trailer.
One of the most common problems related to MTU is that sometimes higher-level protocols may create packets larger than a particular link supports, and it will be necessary to make adjustments to make it work.
To get around this issue, IPv4 allows fragmentation which divides the datagram into pieces. Each piece is small enough to pass over the single link that it is being fragmented for, using the MTU parameter configured for that interface. This fragmentation process takes place at the IP layer (OSI layer 3) and marks the packets it fragments as such, all the fragmented packets have the same identification number to identify all the fragmented packets of the same datagram.
This ensures the IP layer of the destination host knows it should reassemble the packets into the original datagram based on the identification number and fragmented packets reorder based on the fragmented offset value.
Fragmentation is sometimes not supported by applications and is something to avoid if possible. The best way to avoid fragmentation is to adjust the maximum segment size or TCP MSS so the segment will adjust its size before reaching the data link layer.
Window Size * Window Size Scaling Factor = Real Window Size aka Calculated Window Size.
Related document:
How to calculate the MSS in wireshark when the window scaling option is set?
MSS: Maximum Segment Size is a TCP option where a TCP peer announces to the other TCP peer the maximum size TCP data segment that it can receive. The MSS option is found only in the SYN and SYN/ACK packets of the TCP connection establishment three-way handshake.
Testing MTU from FortiAnalyzer/FortiManager. It needs to be done from the shell.
Important: Ping from SHELL is allowed on FortiAnalyzer v7.0 and newer. on v6.4 and older versions it does not work.
Note:
From v7.4.4, and 7.2.6, shell access has been removed.
FAZ # config system admin setting
(setting)# set shell-access enable
(setting)# end
bash$ ping 192.168.249.254 -c minimum
DNS resolution bash$ ping google.com -4 -c 4 -s 1400
bash$ ping -help
ping: invalid option -- 'h'
BusyBox v1.34.1 (2021-11-18 16:07:33 PST) multi-call binary.
Usage: ping [OPTIONS] HOST
Send ICMP ECHO_REQUESTs to HOST:
-4,-6 Force IP or IPv6 name resolution
-c CNT Send only CNT pings
-s SIZE Send SIZE data bytes in packets (default 56)
-i SECS Interval
-A Ping as soon as reply is recevied
-t TTL Set TTL
-I IFACE/IP Source interface or IP address
-W SEC Seconds to wait for the first response (default 10)
(after all -c CNT packets are sent)
-w SEC Seconds until ping exits (default:infinite)
(can exit earlier with -c CNT)
-q Quiet, only display output at start/finish
-p HEXBYTE Payload pattern
bash$
Ping <IP_FGT> -4 -c 5 -s 175
ICMP packet if sending ICMP 1240.
C:\Windows\System32>ping 8.8.8.8 -f -l 1240
Pinging 8.8.8.8 with 1240 bytes of data:
Reply from 8.8.8.8: bytes=68 (sent 1240) time=8ms TTL=118
The formula is 14 ethernet headers + 20 IP headers + 8 ICMP headers = 42 bytes + TCP MSS 1240 = 1282 total size of ICMP packet in Wireshark.
TCP MTU is 1294 because ICMP header 8 bytes is replaced by TCP header 20.
Related article:
Technical Tip: How to adjust the Maximum Transmission Unit (MTU) value on a FortiGate interface
|
