Wireshark-users: Re: [Wireshark-users] Calculating PMTUD

From: Sake Blok <sake@xxxxxxxxxx>
Date: Tue, 7 Oct 2008 19:47:34 +0200
On Tue, Oct 07, 2008 at 01:18:12PM -0400, natrbrazell@xxxxxxx wrote:
> When trying to ascertain the effect of devices inline on a 
> network such as a cryptographic device, is it best to use 1514 
> (Total size seen in Wireshark) as the MTU at the host or 1500?  

Well, the MTU of a network segment (MTU has only local meaning, as
intermediate networks between two communicating hosts might have
other physical or logical size limitations) is the maximum size 
that can be transmitted accross *that* network without 
fragmentation. Beware that this size is excluding the header
for that particular network type. So for ethernet, with a standard
MTU size of 1500 bytes, the actual maximum size on the network will
be 1518 bytes. 14 bytes ethernet header, 1500 bytes payload and 
4 bytes FCS at the end. The 4 bytes FCS are normally not passed 
from the NIC to the host because either the NIC or the driver 
strips this information.

> For instance if my PC's at either end of a connection  has MTU 
> of 1500 and using a tool such as Iperf I discover that my MTU 
> and MSS values are 1412 and 1372 for MSS, do I assume that 
> the size is 1500 - 1412 or 1514 - 1412?

The MTU is set within the network driver settings, but the MSS can
be negotiated in the 3-way-handshake. If you only see packets of size
1412 and the MSS negotiation in the 3-way-handshake show a MSS of 1372,
it shows that there is a device somewhere in between your two hosts 
with MTU=1500 which is limiting the MSS to prevent fragmentation at
the IP layer. This is usually seen on devices that encapsulate
packets (like VPN's). It could also mean that the traffic passes
networks that have a lower MTU for which the routers are limiting
the MSS.

Hope this helps,
Cheers,
    Sake