Penguin

Acronym for Maximum Segment Size


Linux TCP MSS in SYN change !

run "ifconfig <interface> mtu <N>", while <interface> is interface name and N is the wanted MSS value + 40. Example : ifconfig eth0 mtu 1360. The MSS will be 1320 (if there are no TCP options).

Adjusting the TCP MSS on an intermediate routej

The TCP MSS Adjustment feature enables the configuration of the maximum segment size (MSS) for transient packets that traverse a router, specifically TCP segments in the SYN bit set, when Point to Point Protocol over Ethernet (PPPoE) is being used in the network. PPPoE truncates the Ethernet maximum transmission unit (MTU) 1492, and if the effective MTU on the hosts (PCs) is not changed, the router in between the host and the server can terminate the TCP sessions.

Linux's TCP MSS Adjustment Feature

use iptables --insert OUTPUT --jump TCPMSS --protocol tcp --set-mss mss to modify the MSS value.

Cisco's TCP MSS Adjustment Feature

The ip tcp adjust-mss command specifies the MSS value on the intermediate router of the SYN packets to avoid truncation.

  • The ip tcp adjust-mss command helps prevent TCP sessions from being dropped by adjusting the MSS value of the TCP SYN packets.
  • The ip tcp adjust-mss command is effective only for TCP connections passing through the router.

More information here on Cisco Systems web site


Usage Guidelines

When a host (usually a PC) initiates a TCP session with a server, it negotiates the IP segment size by using the MSS option field in the TCP SYN packet. The value of the MSS field is determined by the maximum transmission unit (MTU) configuration on the host. The default MSS value for a PC is 1500 bytes.

The PPP over Ethernet (PPPoE) standard supports a MTU of only 1492 bytes. The disparity between the host and PPPoE MTU size can cause the router in between the host and the server to drop 1500-byte packets and terminate TCP sessions over the PPPoE network. Even if the path MTU (which detects the correct MTU across the path) is enabled on the host, sessions may be dropped because system administrators sometimes disable the ICMP error messages that must be relayed from the host in order for path MTU to work.