MTU (IPv4) tests in Linux

debugcn Published at Dev

Rui F Ribeiro

I noticed I have several networks with all ICMP messages blocked at the firewall level, except for ICMP echo and reply.

I know that there is a need at least ICMP messages type 3 in IPv4 have to be allowed for the MTU negotiation to occur.

The packets can be sniffed with the command:

sudo tcpdump icmp

However, how do I generate ICMP packets type 3 on one remote point to make global tests?

Rui F Ribeiro

You need ICMP type 3 "destination unreachable" packets to provide healthy IP connections.

The easiest way to generate ICMP packets type 3 for testing is by using the nping program.

The nping program is part of the nmap package, and as such there is a need to have it installed. For it you have to do:

sudo apt install nmap

After having it installed, to test a remote Linux system, starting running on the remote side, to listen for ICMP type 3 and 4 packets:

sudo tcpdump  'icmp[0] = 3'

sudo tcpdump  '(icmp[0] = 3) and (host ip_or_dns_of_nping_sender)'

and then do the other system/side to send the ICMP type 3 packets:

sudo nping --icmp-type 3 ip_or_dns_of_remote

Be sure to test them in both directions.

As an example, using the loopback interface to show the test in the local machine:

In the first terminal - listening for ICMP type 3 messages:

$sudo tcpdump  -i lo 'icmp[0] = 3'
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on lo, link-type EN10MB (Ethernet), capture size 262144 bytes
21:37:44.089420 IP localhost > localhost: [|icmp]
21:37:45.090092 IP localhost > localhost: [|icmp]
21:37:46.091289 IP localhost > localhost: [|icmp]
21:37:47.093095 IP localhost > localhost: [|icmp]
21:37:48.095019 IP localhost > localhost: [|icmp]
^C
5 packets captured
10 packets received by filter
0 packets dropped by kernel

In the second terminal - sending ICMP type 3 messages:

$sudo nping --icmp-type 3 localhost
Starting Nping 0.6.47 ( http://nmap.org/nping ) at 2017-03-06 21:37 WET
SENT (0.0221s) ICMP 127.0.0.1 > 127.0.0.1 Destination unreachable     (type=3/code=0) ttl=64 id=40477 iplen=28 
RCVD (0.2088s) ICMP 127.0.0.1 > 127.0.0.1 Destination unreachable  (type=3/code=0) ttl=64 id=40477 iplen=28 
SENT (1.0228s) ICMP 127.0.0.1 > 127.0.0.1 Destination unreachable (type=3/code=0) ttl=64 id=40477 iplen=28 
RCVD (1.2088s) ICMP 127.0.0.1 > 127.0.0.1 Destination unreachable (type=3/code=0) ttl=64 id=40477 iplen=28 
SENT (2.0240s) ICMP 127.0.0.1 > 127.0.0.1 Destination unreachable (type=3/code=0) ttl=64 id=40477 iplen=28 
RCVD (2.2088s) ICMP 127.0.0.1 > 127.0.0.1 Destination unreachable (type=3/code=0) ttl=64 id=40477 iplen=28 
SENT (3.0258s) ICMP 127.0.0.1 > 127.0.0.1 Destination unreachable (type=3/code=0) ttl=64 id=40477 iplen=28 
RCVD (3.2088s) ICMP 127.0.0.1 > 127.0.0.1 Destination unreachable (type=3/code=0) ttl=64 id=40477 iplen=28 
SENT (4.0277s) ICMP 127.0.0.1 > 127.0.0.1 Destination unreachable (type=3/code=0) ttl=64 id=40477 iplen=28 
RCVD (4.2088s) ICMP 127.0.0.1 > 127.0.0.1 Destination unreachable (type=3/code=0) ttl=64 id=40477 iplen=28 

Max rtt: 186.715ms | Min rtt: 181.081ms | Avg rtt: 184.307ms
Raw packets sent: 5 (140B) | Rcvd: 5 (140B) | Lost: 0 (0.00%)
Nping done: 1 IP address pinged in 4.24 seconds

unreachable