Terminology

Last change on 2025-10-07 • Created on 2025-04-25 • ID: NE-A1F7B

Packet sizes, MTU, and MSS

To transfer data between different systems, packets are used. The maximum packet size that can be transmitted through a network (Maximum Transmission Unit — MTU) is dependent on the underlying network capabilities.

When a packet passes through a Hetzner private network, we add additional headers that allow us to distinguish the networks.

This results in the following size limits for packets that pass through our private networks:

Packet in Private Network (HTTP, FTP)
50 bytes
20 bytes
20 bytes
1410 bytes (MSS)
Private Network
header
IP header
TCP header
User Data / Payload

1450 bytes (MTU)

Packet in Private Network (ping)
50 bytes
20 bytes
8 bytes
1422 bytes (ICMP payload)
Private Network
header
IP header
ICMP header
User Data / Payload

1450 bytes (MTU)

If a packet is routed through several different interfaces and the packet MTU is less than or equal to the limit, it will pass through. If the packet MTU is greater than the limit, the system will attempt IP fragmentation. If unsuccessful, the packet is dropped.

The default packet configuration for the public interface, the Docker bridge interface, and other interfaces, usually looks like this:

Note the difference in the values for MSS and MTU compared to the values in a private network.

Packet in Public Network (HTTP, FTP)
20 bytes
20 bytes
1460 bytes (MSS)
IP header
TCP header
User Data / Payload

1500 bytes (MTU)

Packet in Public Network (ping)
20 bytes
8 bytes
1472 bytes (ICMP payload)
IP header
ICMP header
User Data / Payload

1500 bytes (MTU)

Path MTU Discovery (PMTUD)

Path MTU Discovery is a system mechanism that helps determine the maximum packet size that can travel to a specific destination without fragmentation.

If a packet gets dropped because it is too big and an ICMP error message with the correct MTU is returned, PMTUD learns that MTU for this destination and uses it for future packets. If the next packet is still too big because of another intermediary with an even smaller MTU further down the path, it will be dropped again, triggering another ICMP message. PMTUD will continue this process until it finds the smallest MTU required for the entire path between the source and the destination.

If the system doesn't receive an ICMP message or the message doesn't contain the MTU, PMTUD fails and large packets will continue to get dropped. This can happen, for example, when the local system or a router on the packet's path drops ICMP packets.

MSS Clamping

To initialize the TCP connection, the client (source) sends a TCP SYN packet, which includes its local MSS value, to the server (destination). The server now knows both its own local MSS value and the MSS provided in the TCP SYN packet of the client. For all response packets, the server will use the lower MSS value of the two, and also send back its own local MSS value to the client.

  • By default, the TCP SYN packet uses a MSS value that corresponds to the MTU of the interface that the source uses to send the packet.
  • When you enable MSS Clamping, you can define a custom MSS value that should be used instead of the default.

OSI model

Simplified explanation:

Information that is transmitted through a network is called a "protocol data unit" (PDU).

PDUSendReceive
Layer 7 The actual application message (HTTP request or other). You likely see a readable ASCII message. The system sees and passes on raw bits (see "Bytes to ASCII Converter").
Layer 4 Segment The data of layer 7 is split into several chunks (user data / payload). A TCP header (includes the source and destination port) is added to each chunk. The TCP header is stripped off each segment. The remaining user data / payloads (chunks) are reassembled.
Layer 3 Packet Adds an IP header (includes source and destination IP) to each segment. Determines the best route to forward the packet. Checks if the destination IP matches its own.
If yes, removes the IP header and passes the packet to Layer 4.
If no, forwards the packet to the next hop/router.
Layer 2 Frame Adds headers (include source and destination MAC) and a trailer (FCS) to each packet. Validates the frame using frame check sequence (FCS) and checks the MAC address. If valid, removes the headers and trailer and passes the packet to layer 3.
Layer 1 Bit Transmits the frame as a raw bitstream (1s and 0s) over a physical medium (e.g. via electrical, optical, or radio signals). This layer does not interpret the meaning of the bits, it just moves them from one place to another using signals. Receives frames as raw bitstreams (1s and 0s) over a physical medium. Passes the bitstream to layer 2.
Simplified visualization
Layer 7
Raw message in bits 
01000111 01000101 01010100 00100000 0010111...


Layer 4
Chunks (size depends on MTU)
Chunk 1
01000111 01000101
Chunk 2
01010100 00100...
Segment
TCP header
Chunk (User Data)


Layer 3
Packet
IP header
TCP header
Chunk (User Data)


Layer 2
...11

Dest. MAC

Source MAC

Type

Packet
IP header ● TCP header ● User Data
FCS

Preamble
Frame

Switches and routers

A key difference between switches and routers is the layer of the OSI model at which they operate.

  • Switches operate at Layer 2 (Ethernet / Data Link Layer):

    On-link (Direct) Communication

    Source
    Destination

    In an IP network, a node can use ARP or Neighbor Discovery to resolve the MAC address of the destination. This is possible when the node is either directly connected to the destination, or connected via one or more switches.

    In both scenarios, the frame is sent directly to the destination using its MAC address. This is considered an on-link connection because the destination receives the exact same frame that the source sent.


  • Routers operate at Layer 3 (IP / Network Layer):

    Off-link (Routed) Communication

    Source
    Intermediary
    Intermediary
    Destination

    The source may not be directly connected to the destination and can't use ARP or Neighbor Discovery (ND) to resolve the destination MAC address. Instead, the source has to use ARP or ND to resolve the MAC address of the router (e.g., default gateway).

    The source sends the frame to the router. The router determines the next hop in the path and uses ARP or ND (if necessary) to resolve the MAC address of that hop. The router rewrites the frame headers, replacing the source MAC address with its own and the destination MAC address with that of the next hop. When the destination MAC address and the destination IP address match the local addresses, the frame has reached its destination host. The destination ultimately receives a frame with frame headers different from those originally sent by the source.

Table of Contents