0

Just recently I came to know that the payload of Ethernet is max 1500 bytes (mtu).

The first thing that came to my mind was that we can ping with much more size than that. So I thought maybe the ping packet is being fragemented in someway. So I checked on wireshark and I saw that it's only one packet, even when I ping with size of 10,000 bytes.

What is the explanation behind this?

Update:

Even if Jumbo Ethernet frames are used, which supports till 9000 bytes, I can still ping with like 17,000 bytes which is still larger than 9000.

AhmedWas
  • 361
  • 2
  • 10
  • 1
    On uni*x type operating systems you should add the -M do options to your ping command - ie., ping -M do -s 1700 cnn.com. If you really want to discover the MTU. Also, WireShark re-assembles packets. You can turn off this behavior in the IP preferences by de-selecting the "Reassemble fragmented IP datagrams" checkbox. – ColtonCat Nov 20 '18 at 07:28
  • @ColtonCat How the packets should look like in Wireshark when I disable the "Reassemble fragmented IP datagrams" option? When I tried it, I see also the same number of packets displayed. The only difference is that the size of the payload is limited by the Etherenet frame, but the number of packets are the same. – AhmedWas Nov 20 '18 at 10:07
  • @ColtonCat I was filtering the wireshark results using ICMP, that's why I wasn't able to see the fragmented results. The wireshark puts the fragmeneted packets under fragmented IP protocol, not ICMP. – AhmedWas Nov 20 '18 at 14:04
  • 1
    From _[RFC 791, Internet Protocol](https://tools.ietf.org/html/rfc791)_: "_**1.4. Operation** The internet protocol implements two basic functions: addressing and fragmentation._" Also, "_In the routing of messages from one internet module to another datagrams may need to traverse a network whose maximum packet size is smaller than the size of the datagram. To overcome this difficulty, a fragmentation mechanism is provided in the internet protocol._" – Ron Maupin Nov 21 '18 at 07:39

1 Answers1

1

Based on @ColtonCat comment

The answer is simply because IP fragmentation takes place.

Example: ping with size 2000 bytes and the mtu is max 1518, you can see in wireshark that both ping request and reply are each fragemnted into 1518 and 566 bytes packets.

Calulation is as follows: 18 bytes for Ethernet header (src mac 6, dst mac 6 , type 2, FCS 4), 20 bytes for IP header, 8 bytes for ICMP >> 46. The mtu is 1518, so that leaves 1472 bytes of data (1518 - 46).

The same calulations is done for the second fragmented packet.

Note: Wireshark doesn't show the FCS bytes. So you just need to substract 4. Also, all of this may take place for IPv4, as in IPv6 no fragemenation is allowed.

AhmedWas
  • 361
  • 2
  • 10