In article <20140814141900.777d6f0c at tomh>, Tom Horsley <horsley1953 at gmail.com> wrote: > > If you look inside the ICMP packet in wireshark, it will tell you > > who sent it and what MTU they said was acceptable. > > Well, I'm definitely drowning in network confusion here :-). > > Everyone's MTU is the default 1500, I checked all systems in > the path. > > The wireshark display says 1516 in the Length column for the > NFS packet that always shows up before the ICMP errors. If I > expand the "IP V4" line in the packet, it says "Total Length: 1500" > for that READDIRPLUS Reply which says 1516 for the capture > length. It also has the "Don't fragment" flag set. > > It looks like the 16 byte extra is confusing it, but I have no > idea why that is different than the IPv4 length info. The 1516 is the total length of the ethernet frame, and is normal for a 1500 MTU. The 16 bytes is the link-layer header. When looking at the ICMP Frag-needed packet in Wireshark, look particularly at (a) its source and destination addresses, (b) the "MTU of next hop" field (in expansion of ICMP), and (c) the source and destination addresses of the packet it was complaining about. Here's an example from one of my recent traces: Frame 235: 72 bytes on wire (576 bits), 72 bytes captured (576 bits) Linux cooked capture Internet Protocol Version 4, Src: 10.30.0.245 (10.30.0.245), Dst: 172.22.21.48 (172.22.21.48) (a) ^^^^^^^^^^^^^^^^^^^^^^^^ ^^^^^^^^^^^^^^^^^^^^^^^^^^ Internet Control Message Protocol Type: 3 (Destination unreachable) Code: 4 (Fragmentation needed) Checksum: 0x81df [correct] MTU of next hop: 1476 (b) ^^^^ Internet Protocol Version 4, Src: 172.22.21.48 (172.22.21.48), Dst: 172.27.60.31 (172.27.60.31) (c) ^^^^^^^^^^^^^^^^^^^^^^^^^^ ^^^^^^^^^^^^^^^^^^^^^^^^^^ Transmission Control Protocol, Src Port: ssh (22), Dst Port: 56199 (56199) Cheers Tony -- Tony Mountifield Work: tony at softins.co.uk - http://www.softins.co.uk Play: tony at mountifield.org - http://tony.mountifield.org