Ask Your Question
0

How is these packets handled? [closed]

asked 2022-04-13 07:22:20 +0000

biggun_benny gravatar image

Hello :-)

I have a web server that often sending packets that are greater than MTU, while having the DF flag (Don't Fragment) set. This seemingly works 99% of the time, but I cannot understand how this functions underneath. See screenshot from wireshark here:

https://1drv.ms/u/s!Ar2R-UAQbAAomyFZu...

Question is how is this handled?

The packet capture was done on the server itself and I was suspecting "Large Segment Offloading" to silently split these packet into MTU size ones. But is it allowed to do so with DF set? or will the NIC simply drop the packet even before it reaches the network.

Bonus info: This machine is located on a network where ICMP has been disabled, and I suspect this is why I never hear "Packet needs to be fragmented but DF set" back. Yet, like said, it seems to work almost all the time

Environment: Windows 10

edit retag flag offensive reopen merge delete

Closed for the following reason the question is answered, right answer was accepted by biggun_benny
close date 2022-04-13 09:30:09.248719

Comments

Thank you very much fellas, for your quick responses. It is much appreciated.

biggun_benny gravatar imagebiggun_benny ( 2022-04-13 09:29:14 +0000 )edit

2 Answers

Sort by » oldest newest most voted
0

answered 2022-04-13 08:02:44 +0000

Guy Harris gravatar image

The packet capture was done on the server itself and I was suspecting "Large Segment Offloading" to silently split these packet into MTU size ones.

That's probably what's happening.

But is it allowed to do so with DF set?

Yes.

TCP segmentation/desegmentation offloading is different from IP fragmentation; the DF bit is an IP-layer bit, saying "do not carve this IP datagram into multiple IP fragments".

TCP segmentation is the dividing of a chunk of bytes into multiple TCP segments, each of which is put into a single IP datagram; those datagrams will be MTU-sized. TCP segmentation offloading means that the host can send a large chunk of bytes - too large to fit into a single MTU-sized IP datagram - to the network adapter, and the adapter will send it out as multiple TCP segments. That single large chunk of bytes might be supplied to the capture mechanism as a single packet, but that doesn't mean it went out on the network as a single datagram.

TCP desegmentation is the reassembly of TCP segments into a single chunk of bytes to be provided to the code reading from the socket. TCP desegmentation offloading means that the adapter reassembles multiple TCP segments into a single chunk of bytes and hands that chunk to the host as a single packet. That single packet might be too large to go over the network in a single datagram, but that doesn't mean it did go over the network in a single datagram.

edit flag offensive delete link more
0

answered 2022-04-13 08:00:46 +0000

Jasper gravatar image

The packets are greater than the MTU because you captured them on the server sending them, as you already suspected (the Large Segment Offloading happens after Wireshark picked them up already). I don't see a problem with the DF flag - it will be set for the last packet of the chain of packets when they're being created from the large segment you see.

I would recommend enabling ICMP, of course - there's no real security issue these days as ICMP redirects are ignored by modern TCP stacks (preventing a MiTM situation). You could still block it but enable all the "Destination Unreachable" messages to be able to receive error messages like "Fragmentation Needed".

edit flag offensive delete link more

Question Tools

1 follower

Stats

Asked: 2022-04-13 07:22:20 +0000

Seen: 58 times

Last updated: Apr 13