MTU size in packet capture
Results 1 to 6 of 6

Thread: MTU size in packet capture

Hybrid View

  1. #1
    Only african to own a PC! Cider's Avatar
    Join Date
    Jun 2003
    Location
    Israel
    Posts
    1,683

    MTU size in packet capture

    Hey guys,

    Im trying to find the MTU size in a packet capture on SMTP. I am opening the capture up in wireshark on a windows machine. If anyone knows where it sits in the capture please do let me know!

    Thanks
    The world is a dangerous place to live; not because of the people who are evil, but because of the people who don't do anything about it.
    Albert Einstein

  2. #2
    Senior Member
    Join Date
    Mar 2008
    Posts
    262
    There is no MTU in the IP header as defined in RFC 791. What is there is Total Length that refers to the number of bytes in the packet (max 65,535) before fragmentation.

    I don't know if Wireshark calculates the size of each captured packet but unless it is an obviously short packet it will be either 1500 or 1492 (IEEE 802.3/802.2) depending upon the source of the capture. Common MTU's are listed in RFC 1191.

  3. #3
    Only african to own a PC! Cider's Avatar
    Join Date
    Jun 2003
    Location
    Israel
    Posts
    1,683
    Hey, Thanks for the heads up. The problem is , our Netgear Dual WAN is set to "default" MTU which I thought was around 1492 but someone looked at some captures and came back with a totally different MTU. I just wanted to double check it So you are saying that there is no way to find that out in an IP header?
    The world is a dangerous place to live; not because of the people who are evil, but because of the people who don't do anything about it.
    Albert Einstein

  4. #4
    Senior Member
    Join Date
    Mar 2008
    Posts
    262
    That is correct. That said look for a packet with the fragment flag turned on. IIRC it is in the 2nd bit in the 4th byte of the IP header. That packet will be the maximum size and thus match the MTU after accounting for the headers. Most router MTU's should be set at 1500.

    You can use ping to bracket the MTU size by pinging a host using both the do not fragment flag and the send buffer size. If the ping packet is too big an error message "Packet needs to be fragmented but DF set" will be displayed. You must make an allowance for the IP header of 20 bytes and the ICMP (ping) request of 8 bytes. The maximum ping buffer size will be 28 bytes shorter than the MTU or 1472 for an MTU of 1500. Thus a ping command will look like this:

    ping -f -l 1472 www.dslreports.com

    I used dslreports because they will actually respond to a ping request. Many networks will not respond to a ping. Use an external host so that you are sure the ping is transiting your router.

  5. #5
    Only african to own a PC! Cider's Avatar
    Join Date
    Jun 2003
    Location
    Israel
    Posts
    1,683
    Hey ua549.

    I actually wrote a reply but my browser bombed out

    OK, so the issue is that the MSS value was around 536 , now as I understand it the MSS makes up part of the MTU. Anyways, I requested that the MSS value be made higher, above 1000 on our cisco router.

    Our browsing is perfect and incoming mail has no delays however outbound is delayed but a long shot.

    What is the "recommended" on a router for MSS? For MTU i understand that ADSL must be at 1492 and all ethernet must be 1500 all round.

    Am I correct?
    The world is a dangerous place to live; not because of the people who are evil, but because of the people who don't do anything about it.
    Albert Einstein

  6. #6
    Senior Member
    Join Date
    Mar 2008
    Posts
    262
    If the packet size coming from a web server is too large, the Cisco UAC will drop the packet and ask the web server to resend the information using a smaller MTU.

    The MSS is a bit different. It is part of the TCP protocol, not the IP protocol.
    The MSS is specified in octets and does not include any headers. MSS + headers ≤ MTU

    There are TCI/IP optimizer tools available, but I have no experience with any of them.

    *edit* Here is some info on cat5e's web site. He is a moderator on a couple of other Internet.com sites.
    Last edited by ua549; October 5th, 2011 at 12:43 PM.

Similar Threads

  1. router udp logs
    By morganlefay in forum General Computer Discussions
    Replies: 35
    Last Post: September 12th, 2010, 12:25 PM
  2. TCP/IP Fingerprinting via NMAP
    By agent.idle in forum AntiOnline's General Chit Chat
    Replies: 9
    Last Post: March 19th, 2004, 04:51 PM
  3. A look into IDS/Snort Whole thing by QoD
    By qod in forum The Security Tutorials Forum
    Replies: 6
    Last Post: February 27th, 2004, 02:03 AM
  4. Packet Crafting via HPing v2
    By don in forum The Security Tutorials Forum
    Replies: 9
    Last Post: January 8th, 2003, 01:40 PM
  5. Traceroute: under the hood
    By antihaxor in forum Non-Security Archives
    Replies: 0
    Last Post: January 24th, 2002, 04:42 PM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

 Security News

     Patches

       Security Trends

         How-To

           Buying Guides