How are these packets handled? [closed]

MTU
MSS
tcp
https
retag add tags

Hello :-)

I have a web server that often sending packets that are greater than MTU, while having the DF flag (Don't Fragment) set. This seemingly works 99% of the time, but I cannot understand how this functions underneath. See screenshot from wireshark here:

https://1drv.ms/u/s!Ar2R-UAQbAAomyFZu...

Question is how is this handled?

The packet capture was done on the server itself and I was suspecting "Large Segment Offloading" to silently split these packet into MTU size ones. But is it allowed to do so with DF set? or will the NIC simply drop the packet even before it reaches the network.

Bonus info: This machine is located on a network where ICMP has been disabled, and I suspect this is why I never hear "Packet needs to be fragmented but DF set" back. Yet, like said, it seems to work almost all the time

Environment: Windows 10

biggun_benny

asked 2022-04-13 07:22:20 +0000, updated 2024-07-15 13:11:05 +0000

edit flag offensive 0 remove flag reopen merge delete

Closed for the following reason "the question is answered, right answer was accepted" by biggun_benny 2022-04-13 09:30:09 +0000

Comments

Thank you very much fellas, for your quick responses. It is much appreciated.

biggun_benny (2022-04-13 09:29:14 +0000) edit

add a comment see more comments

2 Answers

Sort by

oldest

newest

most voted

The packets are greater than the MTU because you captured them on the server sending them, as you already suspected (the Large Segment Offloading happens after Wireshark picked them up already). I don't see a problem with the DF flag - it will be set for the last packet of the chain of packets when they're being created from the large segment you see.

I would recommend enabling ICMP, of course - there's no real security issue these days as ICMP redirects are ignored by modern TCP stacks (preventing a MiTM situation). You could still block it but enable all the "Destination Unreachable" messages to be able to receive error messages like "Fragmentation Needed".

24.1k

Jasper

answered 2022-04-13 08:00:46 +0000

edit flag offensive 0 remove flag delete link

Comments

add a comment see more comments

The packet capture was done on the server itself and I was suspecting "Large Segment Offloading" to silently split these packet into MTU size ones.

That's probably what's happening.

But is it allowed to do so with DF set?

Yes.

TCP segmentation/desegmentation offloading is different from IP fragmentation; the DF bit is an IP-layer bit, saying "do not carve this IP datagram into multiple IP fragments".

TCP segmentation is the dividing of a chunk of bytes into multiple TCP segments, each of which is put into a single IP datagram; those datagrams will be MTU-sized. TCP segmentation offloading means that the host can send a large chunk of bytes - too large to fit into a single MTU-sized IP datagram - to the network adapter, and the adapter will send it out as multiple TCP segments. That single large chunk of bytes might be supplied to the capture mechanism as a single packet, but that doesn't mean it went out on the network as a single datagram.

TCP desegmentation is the reassembly of TCP segments into a single chunk of bytes to be provided to the code reading from the socket. TCP desegmentation offloading means that the adapter reassembles multiple TCP segments into a single chunk of bytes and hands that chunk to the host as a single packet. That single packet might be too large to go over the network in a single datagram, but that doesn't mean it did go over the network in a single datagram.