Ask Your Question
0

How is these packets handled? [closed]

asked 2022-04-13 07:22:20 +0000

biggun_benny gravatar image

Hello :-)

I have a web server that often sending packets that are greater than MTU, while having the DF flag (Don't Fragment) set. This seemingly works 99% of the time, but I cannot understand how this functions underneath. See screenshot from wireshark here:

https://1drv.ms/u/s!Ar2R-UAQbAAomyFZu...

Question is how is this handled?

The packet capture was done on the server itself and I was suspecting "Large Segment Offloading" to silently split these packet into MTU size ones. But is it allowed to do so with DF set? or will the NIC simply drop the packet even before it reaches the network.

Bonus info: This machine is located on a network where ICMP has been disabled, and I suspect this is why I never hear "Packet needs to be fragmented but DF set" back. Yet, like said, it seems to work almost all the time

Environment: Windows 10

edit retag flag offensive reopen merge delete

Closed for the following reason the question is answered, right answer was accepted by biggun_benny
close date 2022-04-13 09:30:09.248719

Comments

Thank you very much fellas, for your quick responses. It is much appreciated.

biggun_benny gravatar imagebiggun_benny ( 2022-04-13 09:29:14 +0000 )edit
add a comment

2 Answers

Sort by » oldest newest most voted
0

answered 2022-04-13 08:02:44 +0000

Guy Harris gravatar image

The packet capture was done on the server itself and I was suspecting "Large Segment Offloading" to silently split these packet into MTU size ones.

That's probably what's happening.

But is it allowed to do so with DF set?

Yes.

TCP segmentation/desegmentation offloading is different from IP fragmentation; the DF bit is an IP-layer bit, saying "do not carve this IP datagram into multiple IP fragments".

TCP segmentation is the dividing of a chunk of bytes into multiple TCP segments, each of which is put into a single IP datagram; those datagrams will be MTU-sized. TCP segmentation offloading means that the host can send a large chunk of bytes - too large to fit into a single MTU-sized IP datagram - to the network adapter, and the adapter will send it out as multiple TCP segments. That single large chunk of bytes might be supplied to the capture mechanism as a single packet, but that doesn't mean it went out on the network as a single datagram.

TCP desegmentation is the reassembly of TCP segments into a single chunk of bytes to be provided to the code reading from the socket. TCP desegmentation offloading means that the adapter reassembles multiple TCP segments into a single chunk of bytes and hands that chunk to the host as a single packet. That single packet might be too large to go over the network in a single datagram, but that doesn't mean it did go over the network in a single datagram.

edit flag offensive delete link more
add a comment
0

answered 2022-04-13 08:00:46 +0000

Jasper gravatar image

The packets are greater than the MTU because you captured them on the server sending them, as you already suspected (the Large Segment Offloading happens after Wireshark picked them up already). I don't see a problem with the DF flag - it will be set for the last packet of the chain of packets when they're being created from the large segment you see.

I would recommend enabling ICMP, of course - there's no real security issue these days as ICMP redirects are ignored by modern TCP stacks (preventing a MiTM situation). You could still block it but enable all the "Destination Unreachable" messages to be able to receive error messages like "Fragmentation Needed".

edit flag offensive delete link more
add a comment

Question Tools

1 follower

subscribe to rss feed

Stats

Asked: 2022-04-13 07:22:20 +0000

Seen: 270 times

Last updated: Apr 13 '22

Related questions

Why is the MSS not the same?

Adding a token to a https tcp header of a client hello

Frames above 2000 bytes not acknowledged by receiver

Why there is port mismatch in tcp and http header for port 51006. Also why the netstat in server do not shows connections under port 51006 even traffic is coming to this port.

Client is waiting for FIN flag from server for 30 sec

follow tcp stream dialogue box

How to tell if TCP segment contains a data in Wireshark?

Help to read this trace

Random Flooding of TCP Retransmissions

How to make wireshark pop out a file when there are a lot of tcp retransmissions?

Copyright Wireshark Foundation, 2017-2023 Content on this site is licensed under a Creative Commons Attribution Share Alike 3.0 license.
about | faq | help | privacy policy | terms of service
Powered by Askbot version 0.10.2