Terminology

Last change on 2025-04-25 • Created on 2025-04-25 • ID: CL-BA7C3

Packet sizes, MTU, and MSS

To transfer data between different systems, packets are used. The maximum packet size that can be transmitted through a network (Maximum Transmission Unit — MTU) is dependent on the underlying network capabilities.

When a packet passes through a Hetzner private network, we add additional headers that allow us to distinguish the networks.

This results in the following size limits for packets that pass through our private networks:

Packet in Private Network (HTTP, FTP)
50 bytes
20 bytes
20 bytes
1410 bytes (MSS)
Private Network
header
IP header
TCP header
User Data / Payload

1450 bytes (MTU)

Packet in Private Network (ping)
50 bytes
20 bytes
8 bytes
1422 bytes (ICMP payload)
Private Network
header
IP header
ICMP header
User Data / Payload

1450 bytes (MTU)

If a packet is routed through several different interfaces and the packet MTU is less than or equal to the limit, it will pass through. If the packet MTU is greater than the limit, the system will attempt IP fragmentation. If unsuccessful, the packet is dropped.

The default packet configuration for the public interface, the Docker bridge interface, and other interfaces, usually looks like this:

Note the difference in the values for MSS and MTU compared to the values in a private network.

Packet in Public Network (HTTP, FTP)
20 bytes
20 bytes
1460 bytes (MSS)
IP header
TCP header
User Data / Payload

1500 bytes (MTU)

Packet in Public Network (ping)
20 bytes
8 bytes
1472 bytes (ICMP payload)
IP header
ICMP header
User Data / Payload

1500 bytes (MTU)

Path MTU Discovery (PMTUD)

Path MTU Discovery is a system mechanism that helps determine the maximum packet size that can travel to a specific destination without fragmentation.

If a packet gets dropped because it is too big and an ICMP error message with the correct MTU is returned, PMTUD learns that MTU for this destination and uses it for future packets. If the next packet is still too big because of another intermediary with an even smaller MTU further down the path, it will be dropped again, triggering another ICMP message. PMTUD will continue this process until it finds the smallest MTU required for the entire path between the source and the destination.

If the system doesn't receive an ICMP message or the message doesn't contain the MTU, PMTUD fails and large packets will continue to get dropped. This can happen, for example, when the local system or a router on the packet's path drops ICMP packets.

MSS Clamping

To initialize the TCP connection, the client (source) sends a TCP SYN packet, which includes its local MSS value, to the server (destination). The server now knows both its own local MSS value and the MSS provided in the TCP SYN packet of the client. For all response packets, the server will use the lower MSS value of the two, and also send back its own local MSS value to the client.

  • By default, the TCP SYN packet uses a MSS value that corresponds to the MTU of the interface that the source uses to send the packet.
  • When you enable MSS Clamping, you can define a custom MSS value that should be used instead of the default.
Table of Contents