In my last article, I explained how TCP SYN analysis reveals accurate round-trip times. In this article, I will discuss another TCP analysis option for network analysis and troubleshooting: maximum segment size (MSS), which is advertised as part of the SYN process. You can analyze the MSS value for insight into network performance and see how efficiently data is being transferred.
Before we get into the bits and bytes, please note that I’m using some standard IP and TCP values. Depending on your network architecture and device configurations, your specific values may differ.
In the figure below, you can see that both devices have a MSS of 1,460 bytes, which is the maximum value for most Ethernet topologies. There are specific configurations such as jumbo Ethernet frame support, dialup, PPOE, and other scenarios that will require you to decrease or increase the maximum transmission unit (MTU).
If the MSS value is less than the maximum, it may be due to a smaller IP MTU setting. For example, if the IP MTU is 200 bytes smaller to support VPN traffic, the TCP MSS will also be 200 bytes less. The diagram below illustrates the size dependency between the IPv4 MTU and the TCP MSS.
The goal is to determine and validate the IP MTU value or settings when the TCP MSS is less than expected. Validating the MSS can be challenging since you might not have physical access to all the layer 3 (and higher) devices between the two devices.
There are many tips and tricks to perform MTU discovery. For example, you can ping the end device with the “don’t fragment” bit set. This will only work if ICMP is supported by all the intermediate devices. Another trick would be to connect to another device on the same network and compare TCP SYN packets.
So what MSS value do I consider small? My rule of thumb is anything less than 1,000 bytes is worth investigating. Below you can see that the server responds with a MSS of 512, which is much smaller than the 1,460 than we were expecting. This means that you will have to send three 512-byte segments instead of one 1,460-byte segment. It is important to note that the smaller of the two MSS are used for the conversation.
This next example is based on a very interesting problem that I troubleshooting, in which the sending device set its MSS to 2, which turned out to be a driver bug in a firewall/NAT appliance.
If you need to investigate MTU or MSS issues, it's important to concentrate on the correct devices. For example, it's quite common for VPN clients or PPOE configurations to reduce the IP MTU. In some cases, you can verify your settings in the registry in Microsoft operating systems. For other operating systems, a simple internet search on how to modify your IP MTU should get you a result.
Network equipment such as routers, firewalls, NAT devices, proxies and load balancers that operate at layer 3 or higher will have various ways to confirm the IP MTU. True layer 2 switches, hubs, taps, modulators or transceivers do not operate at layer 3, so you can skip those.
For example, the show interface command will display the current MTU of a Cisco router as shown below.
Overall, when dealing with network performance issues, it pays off to make sure you are receiving/sending the maximum packet size for your specific configuration.