How to troubleshoot MTU related issues using Wireshark. - Clavister Forums

https://forums.clavister.com/viewtopic.php?f=8&t=11915&sid=d03c547c10695ac55b1a8b6931f3e7c8

This How-to applies to:

Clavister Security Gateway 12.x. and Wireshark 2.4.3+

Table of contents:

Objectives with this article. • Configure Wireshark to show the needed columns. • An explanation of Sequence numbers, MSS and MTU. • Example of Packet Captures that show potential MTU related issues. • How to configure the Clavister Firewall to get around the issue.

Objectives with this article: This article will describe the basics of troubleshooting TCP MTU/MSS related issues it will also describe how to configure Wireshark to show the information we need in order to troubleshoot. We will discuss how you can determine that the Network issue is related to MTU/MSS. Based on the Sequence number, Next Sequence number and the Acknowledgement number in a packet capture.

The characteristics for a MTU/MSS related issue can many things but often it results in dropped connections and/or bad network performance.

All examples packet captures can be found here: Configure Wireshark to show the information we need: Wireshark does not show Sequence number, Next Sequence number and the Acknowledgement number per default as columns. First of all we need to add them, the simplest way to do that is start a packet capture and look for a TCP packet as show below:

Wireshark1.png (68.08 KiB) Viewed 20531 times

https://s3-us-west-2.amazonaws.com/secure.notion-static.com/ea1cafcd-e771-4927-96ae-6aa6d644b1d2/file.php

Note that Next sequence number has brackets [] around it, that is because this is a “made up” number by Wireshark that is based on the Packet length and the sequence numbers. We will discuss how that works later.

To apply the parameters as columns you just have to Right Click on the field and chose “Apply as column” do that for Sequence number, Next Sequence number and the Acknowledgement number:

Wireshark2.png (98.68 KiB) Viewed 20531 times

https://s3-us-west-2.amazonaws.com/secure.notion-static.com/20b20c6f-f7ad-4e43-bf77-7760916334b3/file.php

You should now have the following columns in Wireshark:

Wireshark3.png (24.45 KiB) Viewed 20531 times

https://s3-us-west-2.amazonaws.com/secure.notion-static.com/26e11fcc-b4fd-4a21-b4fd-469f0fca87b3/file.php

I recommend that you have them in the same order as pictures shows since it will be easier to read, you can also rename the columns to something shorter for example SEQ, Next SEQ and ACK to make it even easier to read.

There is one thing more I usually change and that is to disable “Relative sequence numbers” in Wireshark for the TCP protocol. This is totally up to the user and how you prefer to read it, by disabling it you will see the real/absolute SEQ, Next SEQ and ACK numbers and that can be cumbersome to read. By having it enabled the relative SEQ and ACK numbers will be shown, meaning that all SEQ and ACK numbers always start at 0 for the first packet seen in each conversation. You can read more about the setting at this link:https://wiki.wireshark.org/TCP_Relative ... ce_Numbers