MTU 1500: Fragmentation after 1472 bytes “Packet needs to be fragmented but DF set”

Are you getting an error message that says, “Packet needs to be fragmented but DF set” or “Frag needed and DF set“? If you’re curious about this error message, you’ve come to the right place! Let’s dive into the details.

What is MTU?

Before understanding the error message, it’s important to understand a key feature of the Internet Protocol (IP) called the Maximum Transmission Unit (MTU). MTU is the maximum data packet size that can be transmitted over your network. Specifically, for Ethernet, which is the most common network type, the MTU is set at 1500 bytes. This size includes the IP header and the actual data (payload).

Data Network = default MTU=1500
OS/VMware/Etc.. = default MTU=1500

What Causes the Error Message?

This particular error message pops up when there is an attempt to send an IP packet that is too large for the network it’s traveling over. Specifically, it means the packet size exceeds the MTU.

Now, let’s talk about “DF“, which stands for “Don’t Fragment.” This is an instruction within the IP header that tells the network whether it’s okay to break the packet into smaller chunks or not. This brings us to ‘Fragmentation‘.

What is Fragmentation?

Fragmentation is like a puzzle. It’s a process where the network breaks down a large packet into smaller pieces so they can travel over a network that can’t handle the original size. When these smaller pieces reach their destination, they are put back together to form the original packet.

But, when the “Don’t Fragment” bit is set, it tells the network not to break the packet down. This is where the problem arises. If the packet is too large to be sent, and the DF bit is set, then it’s like trying to fit a square peg into a round hole. It simply can’t be sent, resulting in an error message.

Why Does it Happen During Pinging?

You might see this error message in an interesting scenario when using the ping command. Here’s why:

When you use the ping command, it sends packets to test the network connection. Ping uses a protocol called ICMP and adds an 8-byte ICMP header to the packet. The total size of the packet becomes the sum of the IP header, ICMP header, and payload.

For Ethernet, the maximum packet size of 1500 bytes includes a 20-byte IP header, an 8-byte ICMP header, and the payload. When you ping with an MTU of 1500, the packet size turns out to be 1500 + 8 = 1508 bytes. This exceeds the Ethernet MTU, and hence the error.

How to Avoid this Error?

To avoid this error, you need to subtract the sizes of the IP and ICMP headers from the MTU when pinging. For Ethernet, you should use a packet size of 1472 bytes (1500 – 20 (IP header) – 8 (ICMP header) = 1472) when using the ping command.

When you try to ping with an MTU of 1500, you get “Frag needed and DF Set” or in Windows you get “Packet needs to be fragmented but DF set“:

C:\>ping -f -l 1500 4.2.2.2

Pinging 4.2.2.2 with 1500 bytes of data:
Packet needs to be fragmented but DF set.
Packet needs to be fragmented but DF set.
Packet needs to be fragmented but DF set.
Packet needs to be fragmented but DF set.

Ping statistics for 4.2.2.2:
    Packets: Sent = 4, Received = 0, Lost = 4 (100% loss),

But when you try with an MTU=1472, it works:

C:\>ping -f -l 1472 4.2.2.2

Pinging 4.2.2.2 with 1472 bytes of data:
Reply from 4.2.2.2: bytes=1472 time=21ms TTL=54
Reply from 4.2.2.2: bytes=1472 time=22ms TTL=54
Reply from 4.2.2.2: bytes=1472 time=22ms TTL=54
Reply from 4.2.2.2: bytes=1472 time=21ms TTL=54

Ping statistics for 4.2.2.2:
    Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
    Minimum = 21ms, Maximum = 22ms, Average = 21ms

Let’s go over what’s happening.

The error message “Packet needs to be fragmented but DF set” arises because the packet size specified in your ping command exceeds the Maximum Transmission Unit (MTU) for the network path to the destination. In other words, the network is being asked to transmit a packet that’s too large.

The MTU is the maximum size of a data packet to travel over a network. For Ethernet networks, the standard MTU is 1500 bytes.

When you run the command “ping -f -l 1500 4.2.2.2“, you send an ICMP echo request with a total size of 1500 bytes for the payload part. However, this does not account for the additional bytes the IP and ICMP headers added. The ICMP header is typically 8 bytes, and the IP header is 20 bytes. This adds up to 28 bytes of overhead, so the total size of the ICMP packet is 1528 bytes.

The “-f” option in your ping command sets the “Don’t Fragment” (DF) bit in the IP header of the ping, indicating that the packet should not be fragmented into smaller packets for transmission.

Therefore, since the total packet size (1528 bytes) is larger than the MTU (1500 bytes), and the DF bit is set, the network cannot fragment the packet to make it fit within the MTU, and you get the error message.

To avoid this error, you can lower the size of the ping payload to account for the ICMP and IP headers. This would mean pinging with a size of 1472 bytes instead (1500 MTU – 20 IP header – 8 ICMP header = 1472 bytes). You could accomplish this with the command “ping -f -l 1472 4.2.2.2“.

How do I check the MTU on the Client

On Windows Server

You can check the MTU setting on your network interface in Windows Server by using the netsh command in a command prompt:

Open a Command Prompt with Administrative privileges.
Type netsh interface ipv4 show subinterfaces and hit Enter.

You should see a list of your network interfaces along with various settings, including the MTU.

C:\>netsh interface ipv4 show interface

Idx     Met         MTU          State                Name
---  ----------  ----------  ------------  ---------------------------
  1          75  4294967295  connected     Loopback Pseudo-Interface 1
 15          25        1500  connected     Ethernet

On Linux

The MTU can be checked by using the ip command or ifconfig command.

Open a Terminal.
Type ip link show and hit Enter, or type ifconfig and hit Enter.

Both commands will show the MTU setting for each of your network interfaces.

On macOS

In macOS, you can check the MTU setting by using the networksetup command or ifconfig command.

Open a Terminal.
Type networksetup -getMTU <networkservice>and hit Enter, where `<networkservice>` is the name of the network interface you want to check. For example, `networksetup -getMTU Wi-Fi` for a Wi-Fi connection.

Or,

Type ifconfig and hit Enter. This will display information about all network interfaces, and you can find the MTU listed as ‘mtu‘ in the output.

networksetup -getMTU en0             
Active MTU: 1500 (Current Setting: 1500)

ifconfig
en0: flags=8863<UP,BROADCAST,SMART,RUNNING,SIMPLEX,MULTICAST> mtu 1500

Please note that on all these systems, you may need administrative or `sudo` privileges to execute these commands.

Wrapping Up

The “Packet needs to be fragmented but DF set” error message can be a bit cryptic at first glance. However, understanding MTU, fragmentation, and the role of the IP and ICMP headers can help make sense of it. Keeping the packet size within limits by accounting for headers ensures smooth data transmission without running into this error.

MTU 1500: Fragmentation after 1472 bytes “Packet needs to be fragmented but DF set”

What is MTU?

What Causes the Error Message?

What is Fragmentation?

Why Does it Happen During Pinging?

How to Avoid this Error?

How do I check the MTU on the Client

Wrapping Up

Navigating VPN Tunnel Timeouts: Strategies for Maintaining Secure and Stable Connections

What is Ansible and What Are the Format Options Like YAML

AAA (Cisco Device and ISE Specific)

The Crucial Role of Documentation and Diagrams in IT Infrastructure Projects