MTU 1500: Fragmentation after 1472 bytes “Packet needs to be fragmented but DF set”

Data Network = default MTU=1500
OS/VMware/Etc.. = default MTU=1500

When you try to ping with an MTU of 1500, you get “Frag needed and DF Set” or in Windows you get “Packet needs to be fragmented but DF set“:

C:\>ping -f -l 1500 4.2.2.2

Pinging 4.2.2.2 with 1500 bytes of data:
Packet needs to be fragmented but DF set.
Packet needs to be fragmented but DF set.
Packet needs to be fragmented but DF set.
Packet needs to be fragmented but DF set.

Ping statistics for 4.2.2.2:
    Packets: Sent = 4, Received = 0, Lost = 4 (100% loss),

But when you try with an MTU=1472, it works:

C:\>ping -f -l 1472 4.2.2.2

Pinging 4.2.2.2 with 1472 bytes of data:
Reply from 4.2.2.2: bytes=1472 time=21ms TTL=54
Reply from 4.2.2.2: bytes=1472 time=22ms TTL=54
Reply from 4.2.2.2: bytes=1472 time=22ms TTL=54
Reply from 4.2.2.2: bytes=1472 time=21ms TTL=54

Ping statistics for 4.2.2.2:
    Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
    Minimum = 21ms, Maximum = 22ms, Average = 21ms

You can see a 28 byte difference but why?

At the network layer, the 1500-byte MTU applies to conventional Ethernet. In other words, 1500 bytes can be sent without being fragmented in Ethernet frames. Additional protocols on top of Ethernet, on the other hand, reduce the maximum payload.

IP and ICMP are the additional protocols in your scenario (in this case of ping). They have headers that are 20 bytes long and 8 bytes long, respectively.

This implies you can only send the following information:
1500 bytes (Ethernet mtu) – 20 byte (IP header) – 8 byte (ICMP header) = 1472 byte

So…. Ping will ADD 28 bytes header and then send it. If you want to send -s 1500, the actual size is 1500 + 28 = 1528 bytes.

This is normal behavior! I see emails being sent around about this as if it’s an issue on the network side, but it isn’t. Please understand how the MTU’s work. This is why planning is critical in IT. If this was discussed during a planning stage, emails wouldn’t be sent out as high priority like it’s an issue. Everyone would be aware this is normal, and if the network/firewall team needs to adjust any MTU’s, it would be planned out to do so.

Just an FYI:
Since almost everyone uses Windows, you can quickly check and verify the MTU:

C:\>netsh interface ipv4 show interface

Idx     Met         MTU          State                Name
---  ----------  ----------  ------------  ---------------------------
  1          75  4294967295  connected     Loopback Pseudo-Interface 1
 15          25        1500  connected     Ethernet