Firewall Wizards mailing list archives
Re: easy way to scan for issues with path mtu discovery?
From: "kevin horvath" <kevin.horvath () gmail com>
Date: Wed, 25 Jun 2008 13:46:22 -0400
Patrick, If you think you are having this type of issue you can try to run a tcptraceroute on a port that is allowed to the destination (such as 80 for a web server). This is will obviously give you the hops along path to your destination. Then you can try using the following command to get the mss (max segment size) for each hop starting with the destination and working your way back. sudo nmap -sS -PN -p 80 --packet-trace -mtu 1504 x.x.x.x this will perform a packet trace showing what nmap is doing under the hood and will set your mtu to 1504. Typically your interface is already set to an mss of 1460 so to use something higher you will have to change that on your interface using the ifconfig command. Go ahead and just use the 1460 (if you run the command above your interface will automagically set it to 1460 until you change it). Once the command is run you will see a packet trace from nmap showing the packet it sent and mss and then the target device will respond with its mss also. From here its a process of elimination. Note that setting the mtu higher will usually cause fragmentation and fragmented packets are sometimes dropped or denied along the way (which is probably your issue). For example, if you are doing this over an IPSec tunnel then note that the ESP encryption header adds to the packet as it sends it along. So if your sending this data over an IPSec tunnel then you will want to run a tcpdump or debug (preferrably debug ip icmp on your router if you have access to it) and look for icmp errors of type 3 code 4 (fragmentation needed and do not fragment bit set). If you see this then packets that are at say 1460 then add the encrypt header will put you above the typical mss of 1460 and the packet will be dropped. On Mon, Jun 23, 2008 at 10:52 AM, Darden, Patrick S. <darden () armc org> wrote:
Hi all, Does anyone know of an easy way to scan for issues with path mtu discovery along a hop path? E.g. if you think someone is black-holing along a route, or even on the endpoint host, could you use some obscure nmap flag to find out for sure, and also to identify the offending hop/router/host? What tool would you use to test for this, and how would you do such a test? Seems to me this happens often enough that someone has already figured it out, so I am trying not to reinvent the wheel. All I can think of would be to handcraft packets (which is laborious at best). Google has not been kind to my researches so far. I appreciate any help! --Patrick Darden _______________________________________________ firewall-wizards mailing list firewall-wizards () listserv icsalabs com https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
_______________________________________________ firewall-wizards mailing list firewall-wizards () listserv icsalabs com https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- easy way to scan for issues with path mtu discovery? Darden, Patrick S. (Jun 25)
- Re: easy way to scan for issues with path mtu discovery? Marcin Antkiewicz (Jun 30)
- Re: easy way to scan for issues with path mtu discovery? Patrick M. Hausen (Jun 30)
- Re: easy way to scan for issues with path mtu discovery? kevin horvath (Jun 30)