-
September 29th, 2011, 11:24 AM
#1
MTU size in packet capture
Hey guys,
Im trying to find the MTU size in a packet capture on SMTP. I am opening the capture up in wireshark on a windows machine. If anyone knows where it sits in the capture please do let me know!
Thanks
The world is a dangerous place to live; not because of the people who are evil, but because of the people who don't do anything about it.
Albert Einstein
-
September 29th, 2011, 01:23 PM
#2
There is no MTU in the IP header as defined in RFC 791. What is there is Total Length that refers to the number of bytes in the packet (max 65,535) before fragmentation.
I don't know if Wireshark calculates the size of each captured packet but unless it is an obviously short packet it will be either 1500 or 1492 (IEEE 802.3/802.2) depending upon the source of the capture. Common MTU's are listed in RFC 1191.
-
September 29th, 2011, 01:53 PM
#3
Hey, Thanks for the heads up. The problem is , our Netgear Dual WAN is set to "default" MTU which I thought was around 1492 but someone looked at some captures and came back with a totally different MTU. I just wanted to double check it So you are saying that there is no way to find that out in an IP header?
The world is a dangerous place to live; not because of the people who are evil, but because of the people who don't do anything about it.
Albert Einstein
-
September 29th, 2011, 04:17 PM
#4
That is correct. That said look for a packet with the fragment flag turned on. IIRC it is in the 2nd bit in the 4th byte of the IP header. That packet will be the maximum size and thus match the MTU after accounting for the headers. Most router MTU's should be set at 1500.
You can use ping to bracket the MTU size by pinging a host using both the do not fragment flag and the send buffer size. If the ping packet is too big an error message "Packet needs to be fragmented but DF set" will be displayed. You must make an allowance for the IP header of 20 bytes and the ICMP (ping) request of 8 bytes. The maximum ping buffer size will be 28 bytes shorter than the MTU or 1472 for an MTU of 1500. Thus a ping command will look like this:
I used dslreports because they will actually respond to a ping request. Many networks will not respond to a ping. Use an external host so that you are sure the ping is transiting your router.
-
October 5th, 2011, 09:44 AM
#5
Hey ua549.
I actually wrote a reply but my browser bombed out
OK, so the issue is that the MSS value was around 536 , now as I understand it the MSS makes up part of the MTU. Anyways, I requested that the MSS value be made higher, above 1000 on our cisco router.
Our browsing is perfect and incoming mail has no delays however outbound is delayed but a long shot.
What is the "recommended" on a router for MSS? For MTU i understand that ADSL must be at 1492 and all ethernet must be 1500 all round.
Am I correct?
The world is a dangerous place to live; not because of the people who are evil, but because of the people who don't do anything about it.
Albert Einstein
-
October 5th, 2011, 12:24 PM
#6
If the packet size coming from a web server is too large, the Cisco UAC will drop the packet and ask the web server to resend the information using a smaller MTU.
The MSS is a bit different. It is part of the TCP protocol, not the IP protocol.
The MSS is specified in octets and does not include any headers. MSS + headers ≤ MTU
There are TCI/IP optimizer tools available, but I have no experience with any of them.
*edit* Here is some info on cat5e's web site. He is a moderator on a couple of other Internet.com sites.
Last edited by ua549; October 5th, 2011 at 12:43 PM.
Similar Threads
-
By morganlefay in forum General Computer Discussions
Replies: 35
Last Post: September 12th, 2010, 12:25 PM
-
By agent.idle in forum AntiOnline's General Chit Chat
Replies: 9
Last Post: March 19th, 2004, 05:51 PM
-
By qod in forum The Security Tutorials Forum
Replies: 6
Last Post: February 27th, 2004, 03:03 AM
-
By don in forum The Security Tutorials Forum
Replies: 9
Last Post: January 8th, 2003, 02:40 PM
-
By antihaxor in forum Non-Security Archives
Replies: 0
Last Post: January 24th, 2002, 05:42 PM
Posting Permissions
- You may not post new threads
- You may not post replies
- You may not post attachments
- You may not edit your posts
-
Forum Rules
|
|