This is our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

What is the difference between tcp.len and data.len filters? I thought that both mean data size travelling in the segment (not including TCP header). I have a problem related to MTU issue and im trying to figure if data size from application layer is greater than the MSS announced by the server.

The capture shows some TCP packets encapsulating 1434 Bytes:

enter image description here

But the TCP layer analysis displays the same TCP packets with len = 1448

enter image description here

I think that this TCP segment is encapsulating 1448 Bytes. 1448B plus 32B of TCP header (some TCP options are enabled) plus 20B of IP Header = 1500 Bytes as it is displayed in the analysis of the IP layer.

So i have a question related to this one about MSS clamping. LAN clients are connected to router using Ethernet with MTU = 1500 Bytes and router is connected to Internet using PPPoE with MTU = 1492 Bytes. The router is manipulating MSS field in every TCP packet with SYN flag enabled in both directions, this is known as MSS clamping. This way LAN clients receive MSS = 1452 from servers in Internet and the servers receive MSS = 1452 from the LAN clients.

But what happens if server announces MSS < 1452? LAN clients will receive MSS = 1452 from the server so only PMTUD can work here?

asked 11 May '14, 08:11

Miguelbc's gravatar image

Miguelbc
11225
accept rate: 0%


MSS clamping should only modifiy the MSS option in SYN flagged packets if the advertized MSS in the SYN packet is greater than the MSS of the local segment. E.g. if an external server announces an MSS of 1300 then it should just pass through unchanged if you MSS is 1452. That way the client knows that the server can only deal with segments up to 1300 bytes and everything should be fine.

permanent link

answered 11 May '14, 09:28

Jasper's gravatar image

Jasper ♦♦
23.8k551284
accept rate: 18%

So i should check the iptables rule for MSS clamping in my router because its not working properly. By the way what is the difference between tcp.len and data.len filters?

(11 May '14, 09:44) Miguelbc

not sure abou the tcp.len and data.len, as I have no trace that shows this. The ones I checked have the same tcp.len and data.len. I guess your example was created using frame slicing (meaning, you didn't capture the full packet), because it says in your screen shot "not all data available"). Maybe this is the reason why tcp.len and data.len differ.

(11 May '14, 10:17) Jasper ♦♦
Your answer
toggle preview

Follow this question

By Email:

Once you sign in you will be able to subscribe for any updates here

By RSS:

Answers

Answers and Comments

Markdown Basics

  • *italic* or _italic_
  • **bold** or __bold__
  • link:[text](http://url.com/ "title")
  • image?![alt text](/path/img.jpg "title")
  • numbered list: 1. Foo 2. Bar
  • to add a line break simply add two spaces to where you would like the new line to be.
  • basic HTML tags are also supported

Question tags:

×752
×25
×23

question asked: 11 May '14, 08:11

question was seen: 3,464 times

last updated: 11 May '14, 10:17

p​o​w​e​r​e​d by O​S​Q​A