Re: easy way to scan for issues with path mtu discovery?

["kevin horvath" <kevin.horvath () gmail com>]

Patrick,

If you think you are having this type of issue you can try to run a
tcptraceroute on a port that is allowed to the destination (such as 80
for a web server).  This is will obviously give you the hops along
path to your destination.  Then you can try using the following
command to get the mss (max segment size) for each hop starting with
the destination and working your way back.

sudo nmap -sS -PN -p 80 --packet-trace -mtu 1504 x.x.x.x

this will perform a packet trace showing what nmap is doing under the
hood and will set your mtu to 1504.  Typically your interface is
already set to an mss of 1460 so to use something higher you will have
to change that on your interface using the ifconfig command.  Go ahead
and just use the 1460 (if you run the command above your interface
will automagically set it to 1460 until you change it).  Once the
command is run you will see a packet trace from nmap showing the
packet it sent and mss and then the target device will respond with
its mss also.  From here its a process of elimination.

Note that setting the mtu higher will usually cause fragmentation and
fragmented packets are sometimes dropped or denied along the way
(which is probably your issue).  For example, if you are doing this
over an IPSec tunnel then note that the ESP encryption header adds to
the packet as it sends it along.  So if your sending this data over an
IPSec tunnel then you will want to run a tcpdump or debug (preferrably
debug ip icmp on your router if you have access to it) and look for
icmp errors of type 3 code 4 (fragmentation needed and do not fragment
bit set).  If you see this then packets that are at say 1460 then add
the encrypt header will put you above the typical mss of 1460 and the
packet will be dropped.

On Mon, Jun 23, 2008 at 10:52 AM, Darden, Patrick S. <darden () armc org> wrote:
> Hi all,
>
> Does anyone know of an easy way to scan for issues with path mtu discovery along a hop path?  E.g. if you think 
> someone is black-holing along a route, or even on the endpoint host, could you use some obscure nmap flag to find out 
> for sure, and also to identify the offending hop/router/host?  What tool would you use to test for this, and how 
> would you do such a test?
>
> Seems to me this happens often enough that someone has already figured it out, so I am trying not to reinvent the 
> wheel.  All I can think of would be to handcraft packets (which is laborious at best).  Google has not been kind to 
> my researches so far.
>
> I appreciate any help!
> --Patrick Darden
> _______________________________________________
> firewall-wizards mailing list
> firewall-wizards () listserv icsalabs com
> https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
_______________________________________________
firewall-wizards mailing list
firewall-wizards () listserv icsalabs com
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards