This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Why is the advertised MSS smaller than expected

0

The client NIC is set to MTU of 4000 and supposedly the switches along the paths. The SYN is showing a 1380 MSS instead of 3960. What is the cause?

asked 13 Jul '12, 02:52

ws2006's gravatar image

ws2006
1121214
accept rate: 0%

converted 13 Jul '12, 05:01

grahamb's gravatar image

grahamb ♦
19.8k330206

2 Answers:

0

There are several possibilities why the MSS is different than the MTU. Please check the items below and provide some more details about your environment.

  1. how did you check that the MTU is really set to 4000?
  2. an application can set the MSS via setsockopt (TCP_MAXSEG). If that works, depends on the OS, kernel parameters, etc. Maybe your application does that. What is the MSS if you use a "standard" tcp client like: telnet ask.wireshark.org 80?
  3. iptables (TCPMSS target) can modify the MSS value. Other security devices can do that as well.
  4. what is your OS?

Regards
Kurt

answered 13 Jul '12, 16:35

Kurt%20Knochner's gravatar image

Kurt Knochner ♦
24.8k1039237
accept rate: 15%

edited 13 Jul '12, 16:42

  1. The network team verified the MTU on the switches are set to 4000 and the server NIC was changed to 4000. Both client and server side are set to 4000 and can ping with 4000 mtu. The client is announcing 1380 MSS in the SYN and the server responding with 3960 in the SYN-ACK. The OS is Solaris. When the Server do initiate the connection, his SYN is 3960 as MSS and the client MSS is 1380 in the SYN-ACK. So it is the client not announcing the 3960 MSS.
(16 Jul '12, 07:55) ws2006

is the client solaris?
Can you post the output of ifconfig -a?
what is the MSS if you use telnet instead of your application?

(16 Jul '12, 08:55) Kurt Knochner ♦

please (additionally) post the output of these commands on the client.

ndd /dev/tcp tcp_mss_def
ndd /dev/tcp tcp_mss_max
ndd /dev/tcp tcp_mss_def_ipv4
ndd /dev/tcp tcp_mss_max_ipv4

Maybe there is a limit defined, that explains the behaviour.

(16 Jul '12, 11:20) Kurt Knochner ♦

0

I assume you made the capture on the server or very close to the server. The MSS value in the TCP options of a SYN or SYN/ACK packet can be altered by network devices in between the client and the server.

One reason to do this is when a VPN device tunnels TCP traffic, it will lower the MSS value to make sure there is no need to fragment the packet after the packet is encapsulated.

Cisco FWSM and ACE modules do lower the MSS by default to 1380, but you can change this by the following settings:

  • sysopt connection tcpmss <0-65535>
  • mtu <interface> <mtu-value>

answered 18 Jul '12, 02:02

SYN-bit's gravatar image

SYN-bit ♦♦
17.1k957245
accept rate: 20%

Yes, the capture was at the sender side on the server vlan. Thanks.

(24 Jul '12, 17:24) ws2006