6

I've been reading about maximum transmission unit (MTU) which is the size of the largest protocol data unit (PDU) that can be communicated in a single, network layer, transaction.

I'm generating a few network traffic right now and capture it in Wireshark, unfortunately I'm not sure which one is the MTU size value in PCAP file.

Please let me know how to inspect this value in Wireshark.

Sabrina
  • 311
  • 2
  • 4
  • 14
  • Did any answer help you? if so, you should accept the answer so that the question doesn't keep popping up forever, looking for an answer. Alternatively, you could post and accept your own answer. – Ron Maupin Jan 05 '21 at 21:08

3 Answers3

8

There is nothing in the packet that will tell you what the MTU is. It's an attribute of an interface. The MTU can vary along the path from source to destination. So for example, the link from A to B might have an MTU of X, but the link from B to C, might be Y. There's no way to tell from the PCAP file.

You might be able to infer the MTU value of some link the packet traveled if you see fragmented packets. But that would be an educated guess at best.

Ron Trunk
  • 66,852
  • 5
  • 65
  • 126
  • MTU is available on TCP SYN packets anyway. – Joshua Apr 10 '18 at 19:27
  • 1
    @Joshua You mean MSS, don't you? This is derived from the destination's MTU which *might* be the path MTU - or not. – Zac67 Apr 10 '18 at 19:58
  • @Zac67: My understanding is that intermediate routers are intended to edit it so that by the time it is received it is the path MTU. – Joshua Apr 10 '18 at 20:00
  • @Joshua I see - since routers are supposed to be L3 devices, this doesn't usually work and has been pretty much abandoned. Path MTU Discovery works by actually trying to send packets of the desired size, on IPv4 this requires the *DF* bit to be set. – Zac67 Apr 10 '18 at 20:25
  • @Joshua You’re probably thinking of Window Size, which is not the same thing. – Ron Trunk Apr 10 '18 at 20:49
  • 1
    @Joshua Intermediate routers are not intended to edit the MSS. But some are able to do it as a workaround for broken PMTU discovery. That technique is usually called MSS clamping. And it is a very effective way to work around networks which broke PMTU discovery one way or another. – kasperd Apr 10 '18 at 22:52
  • @kasperd: I always thought that was the designed behavior (so that the size is always set by the time the handshake finishes), but that would make too much sense. – Joshua Apr 10 '18 at 23:07
  • @Joshua MSS is a field that is specific to TCP (and it isn't even mandatory in TCP). Routers are supposed to forward traffic without caring what the higher level protocol is (and possibly not even knowing). PMTU discovery will work for other protocols that aren't TCP. If wasn't because some of the protocols used in the control plane run over TCP a router wouldn't need to know what TCP is. – kasperd Apr 10 '18 at 23:14
  • Thanks @RonTrunk. `Nmap` has capabilities to create fragment packets with `-f` option and specify MTU size with `--mtu`. You said that I might be able to see the fragmented packets. I would appreciate if you can point this value location in Wireshark – Sabrina Apr 11 '18 at 00:20
2

As Ron has nicely explained, you can't reliably observe the MTU in a packet capture. You can find a minimum value from the largest frame size you've observed (minus L2 overhead) and you can guess.

Since the MTU is a property of the IP binding to a network interface you can just ask your operating system, e.g. in Windows

netsh interface ipv4 show interfaces

You'd need to do that for every single node as there's no way to tell from the outside - there's no standard protocol to ask a node via network.

Zac67
  • 81,287
  • 3
  • 67
  • 131
-1

Can you see in that sentence....

enter image description here

ShowPingDetailxD
  • 1
  • 1
    That is not the MTU. That is the TCP segment size after the IP packet fragments have been reassembled. You cannot determine the MTU from what you show. – Ron Maupin Oct 19 '21 at 17:22
  • While this link may answer the question, it is better to include the essential parts of the answer here and provide the link for reference. Link-only answers can become invalid if the linked page changes. - [From Review](/review/late-answers/54273) – rnxrx Oct 24 '21 at 01:44