This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Not honoring own MSS?

0

During the initial TCP handshake, the server specifies a MSS of 1460, and the client specifies a MSS of 1200. However, the server sends segments with lengths of 32786, 15444, 13068, 5940 and 2376.

Is this normal? Why the server would behave this way?

asked 06 Jul '11, 14:15

jamesm113's gravatar image

jamesm113
1111
accept rate: 0%


2 Answers:

2

Is the program that's capturing the traffic (Wireshark, TShark, tcpdump, dumpcap, etc.) running on the client, the server, or some other machine passively sniffing the traffic between them?

If this is on the server, you might be seeing large segment offload. If it's on the client, you might be seeing large receive offload. I.e., if you're capturing on the client or the server, you might not be seeing the actual traffic on the wire, you might be seeing what the host's TCP implementation is sending to the network adapter or receiving from the network adapter.

answered 06 Jul '11, 16:10

Guy%20Harris's gravatar image

Guy Harris ♦♦
17.4k335196
accept rate: 19%

0

We have seen similar behavior if the traffic passes a misbehaving active device. Likely candidates are:

  • A firewall that is not correctly processing TCP options
  • An ACE module with misconfigured TCP normalization

In some cases we see very strange behavior caused by the wrong MSS.

answered 07 Jul '11, 07:34

packethunter's gravatar image

packethunter
2.1k71548
accept rate: 8%

just traced a server hidden behind an old Cisco 10mbit router today... the server advertises a MSS of 536, and then, after a few packets, I see 1024 byte segments comming thru... the router is concatenating the server's payloads, creating larger segments than advertised.

(07 Jul '11, 09:03) Jasper ♦♦

This was a recent hot topic for me. I've learned that a system does NOT have to adhere to it's own advertised MSS...it seems that it should, but it doesn't. SystemA adverts an MSS of 1400, SystemB adverts an MSS of 1200; SystemA won't send SystemB a segment larger than 1200, but SystemA may very well send SystemB a segment that's 1400Bytes. We all assume that with an MSS based on MTU the system is, itself, limited to it's advert'd MSS - but the MSS can be artificially lowered.

(12 Jul '11, 06:32) GeonJay