This is a static archive of our old Q&A Site. Please post any new questions and answers at

Wireshark does not capture depending on MTU size



I have set the MTU to 1400 on computer "A".

From computer "B" I ping computer "A" by sending a 2000 bytes large ICMP packets:

ping -s 2000

I don't get any replies from computer "A". Wireshark detects fragmented IP packets with the info "proto=ICMP 0x01, off=1480", but no ICMP packets.

If I change the MTU to 1500 on computer "A", then packets of any size are sent over from computer "B" to computer "A" and are fragmented.

Why does it work with MTU=1500 but not with MTU=1400?

asked 02 Feb '11, 01:31

Rox's gravatar image

accept rate: 0%

One Answer:


Computer B will send IP datagrams of up to 1480 bytes (assuming the IP header is 20 bytes). The rest of the ICMP packet (with a payload of 2000 bytes) will be sent in a second fragment. This can be verified by the fact that you see "proto=ICMP 0x01, off=1480".

The first IP fragment is 1500 bytes on the wire. However, Computer A was told it can only send/receive packets of up to 1400 bytes. Therefor it drops the first IP fragment of this IP datagram and only receives the second fragment with the offset of 1480.

When you change the MTU size on a system, you need to change it for all directly connected systems on the network.

answered 02 Feb '11, 10:52

SYN-bit's gravatar image

SYN-bit ♦♦
accept rate: 20%

edited 02 Feb '11, 14:20

SYNbit is dead on. Your machine is not most likely not sending packets that are greater than 1500 bytes. Add the -f to your ping command to set the df bit.

C:Documents and Settingspaul>ping -f -n 2 -l 2000

Pinging with 2000 bytes of data:

Packet needs to be fragmented but DF set.

Packet needs to be fragmented but DF set.

Ping statistics for Packets: Sent = 4, Received = 0, Lost = 2 (100% loss),

In this example, the message above is coming from the local stack, not a router.

(02 Feb '11, 13:51) Paul Stewart