Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
nsubramanian
Staff
Staff

Created on ‎03-11-2015 02:12 AM Edited on ‎05-12-2025 07:41 AM By Moderator

Article Id 195109

Technical Tip: How to detect fragmented packets in a sniffer

Description

 

This article describes how to detect fragmented packets in a sniffer and how to control fragmentation of packets before IPsec encapsulation.

The default MTU size is 1500 bytes.

A fragmentation occurs when a packet exceeds the MTU set on the outgoing interface due to extra bytes added during the encapsulation. 
Routers can fragment packets unless the Do-Not-Fragment (DF) bit is set to 1 in the IPv4 header.
If the DF bit is set to 0 (the default), the FortiGate splits the packet that is too large to fit into the outgoing interface and sends the two packets toward the destination.
When the destination receives the two fragments, its protocol stack has to perform reassembly of the fragments before processing the Protocol Data Unit (PDU).

Some routers, including FortiGate, support Jumbo frames.
The requirement to use Jumbo frames (9216 bytes) is to have all the routers in a packet's transition with support for it.
This eliminates the need to reduce the MTU size on the tunnel interfaces, adjust MSS, and alleviate the routers from performing any fragmentation.
Note that for PPPoE connections the MTU size has to be lower than 1500 bytes due to header and protocol ID, in other words it cannot be greater than 1492 bytes.

When troubleshooting fragmentation issues, a full network diagram is needed.

 

Scope

 

FortiGate.

Solution

 

FGT # diag sniffer packet any "udp" 4 0 a
interfaces=[any]
filters=[udp]
2015-02-18 09:28:00.095018 wan1 in 10.108.16.82.9388 -> 255.255.255.255.9388: udp 2394 (frag 37572:1472@0+)
2015-02-18 09:28:00.095111 wan1 in 10.108.16.82 -> 255.255.255.255:  ip-proto-17 (frag 37572:930@1472)

 

IP datagram with ID=37572 was fragmented into two fragments:

  • The first fragment has a size of 1472 bytes.
  • The second (and last) fragment has a size of 930 bytes.

The total size of the packet is 2402 bytes.

Important Note:
The option below is available starting from FortiOS v6.2 and above.

A new IP fragmentation option has been added to control fragmentation of packets before IPsec encapsulation, which can benefit packet loss in some environments.
The following options are available for the IP fragmentation variable.

The following options are available in the CLI:

 

config vpn ipsec phase1-interface
    edit (name)
        set ip-fragmentation pre-encapsulation      <----- This option will fragment before IPsec encapsulation.
    end

 

config vpn ipsec phase1-interface
    edit (name)
        set ip-fragmentation post-encapsulation     <----- This option is RFC compliant and will fragment the packets after IPsec encapsulation.
    end

Labels:
41591
Suggest New Article
Article Feedback
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.