Articles

Packet Fragmentation: The Silent Network Killer

March 24, 2026 7 min read

IP packet fragmentation happens when a packet is too large to traverse a network path, forcing the router to break it into smaller pieces.

Here’s how to see it in action. Imagine you’re sending a large file over a network that has a smaller Maximum Transmission Unit (MTU) than your initial packet size.

# On sender machine, create a large packet (e.g., 2000 bytes)
ping -s 2000 your_destination_ip

# On a router along the path, or on the destination, capture traffic
tcpdump -i eth0 'icmp' -vv

You’ll observe ICMP packets with the "fragmentation needed" flag set, or see multiple smaller ICMP packets corresponding to the original large one. The tcpdump output might look something like this, showing multiple "id" values for fragmented packets or an ICMP error message:

14:35:10.123456 IP (tos 0, ttl 64, id 12345, offset 0, flags [DF], proto: ICMP (1), length: 2000) sender.45678 > receiver.echo: ICMP: echo request (id=123, seq=1)
14:35:10.123457 IP (tos 0, ttl 63, id 54321, offset 0, flags [none], proto: IP (4), length: 1500) 192.168.1.1.12345 > receiver.echo: frag (id=123, offset=0, len=1500)
14:35:10.123458 IP (tos 0, ttl 63, id 54322, offset 0, flags [none], proto: IP (4), length: 500) 192.168.1.1.12345 > receiver.echo: frag (id=123, offset=185, len=500)

The Maximum Transmission Unit (MTU) is the largest packet size, in bytes, that a network interface or link can handle without fragmentation. When a packet exceeds the MTU of any link along its path, routers must either drop the packet or fragment it.

The problem arises because fragmentation adds overhead. Each fragment needs its own IP header, increasing the total data transmitted. More critically, if even a single fragment is lost, the entire original packet is lost, and the receiving host must discard all its pieces. This is why protocols like TCP often struggle with fragmented packets, leading to retransmissions and performance degradation.

The core issue is a mismatch between the sender’s packet size and the smallest MTU encountered on the path to the destination.

Common Causes and Fixes:

  1. Path MTU Discovery (PMTUD) Failure: This is the most common culprit. PMTUD is a mechanism where hosts try to determine the smallest MTU along the path and adjust their packet sizes accordingly. It relies on routers not blocking ICMP "Fragmentation Needed" messages.

    • Diagnosis: On the sending host, try pinging a known destination with the "do not fragment" (DF) flag set and a size that should fragment.
      ping -M do -s 1472 your_destination_ip
      If this times out or returns "Packet needs to be fragmented but DF set," PMTUD is likely broken. Check firewalls on intermediate routers or the destination for blocked ICMP type 3 (Destination Unreachable) codes 4 (Fragmentation Needed).
    • Fix: Ensure that ICMP Type 3, Code 4 messages are permitted through all firewalls between the source and destination. If you cannot fix the network, you can sometimes work around it by setting a lower MTU on the sending interface.
    • Why it works: Allowing ICMP Type 3, Code 4 lets the router inform the sender about the MTU limit, enabling the sender to adjust its packet size before fragmentation occurs.

  2. VPN Tunnel Overhead: VPNs encapsulate original packets within new headers. This adds bytes, effectively reducing the usable MTU for the original packet.

    • Diagnosis: If the issue only occurs when the VPN is active, suspect the VPN. Calculate the overhead of your VPN protocol (e.g., OpenVPN often adds ~100 bytes, IPsec can add more).
    • Fix: Configure your VPN client or server to use a lower MTU for the tunnel interface. For example, if your Ethernet MTU is 1500 and your VPN adds 100 bytes, set the tunnel MTU to 1400.
      # Example for OpenVPN client config
tun-mtu 1400
mssfix 1360 # Often paired with tun-mtu
    • Why it works: By pre-emptively reducing the MTU for the inner packet, you ensure that the outer, encapsulated packet (including VPN headers) does not exceed the underlying physical network’s MTU.

  3. PPPoE Connections: Point-to-Point Protocol over Ethernet (PPPoE), common for DSL connections, adds an 8-byte overhead.

    • Diagnosis: If you are on a DSL connection and experiencing issues, check your connection type. You can also check the interface MTU on your router; it’s often set to 1492 for PPPoE.
    • Fix: Set the MTU on the PPPoE interface to 1492.
      # Example for Linux PPPoE configuration (e.g., /etc/ppp/peers/your_provider)
mtu 1492
mru 1492
    • Why it works: The standard Ethernet MTU is 1500 bytes. PPPoE adds an 8-byte header, so the maximum payload for the IP packet becomes 1492 bytes.

  4. Jumbo Frames Misconfiguration: Some high-performance networks use "Jumbo Frames" which allow MTUs larger than 1500 bytes (e.g., 9000 bytes). If a device in the path doesn’t support or is misconfigured for these larger frames, fragmentation can occur.

    • Diagnosis: Check the MTU settings on all network interfaces involved in the communication path, especially on network switches and specialized hardware.
    • Fix: Ensure all devices in the path are configured for the same MTU size. If Jumbo Frames are not intended, set all relevant interfaces back to the standard 1500. If they are intended, verify that all devices (NICs, switches, routers) support and are configured for the larger MTU (e.g., 9000).
    • Why it works: Consistency in MTU across the entire path prevents intermediate devices from having to fragment packets that would otherwise fit.

  5. Specific Application or Protocol Behavior: Some older protocols or applications might not handle fragmentation gracefully or might send excessively large packets.

    • Diagnosis: If only specific applications are failing, investigate their MTU handling. For example, some NFS clients or servers can be sensitive.
    • Fix: For applications that allow it, reduce their internal buffer sizes or MTU settings. Alternatively, implement TCP MSS clamping on your firewall or router to limit the maximum segment size of TCP packets.
      # Example for Cisco IOS router to clamp TCP MSS
ip firewall-tcp-mss-clamp SYN-only 1360
    • Why it works: TCP MSS clamping tells the TCP stack that the maximum segment size it should use is 1360 bytes (for an Ethernet MTU of 1500, accounting for IP and TCP headers), preventing large TCP segments that would lead to IP fragmentation.

  6. IPv6 Fragmentation: While less common to cause issues than IPv4 fragmentation due to differences in how it’s handled (intermediate routers don’t fragment IPv6 packets), understanding IPv6 is important. IPv6 relies heavily on PMTUD for fragmentation.

    • Diagnosis: Similar to IPv4 PMTUD, check for ICMPv6 "Packet Too Big" messages (Type 2, Code 0).
    • Fix: Ensure ICMPv6 "Packet Too Big" messages are not blocked. If PMTUD fails, you may need to manually set the MTU on the IPv6 interface or use the hop-by-hop fragmentation header (though this is rare and discouraged).
    • Why it works: Like its IPv4 counterpart, allowing "Packet Too Big" messages enables the source to adjust its packet size for the path.

The next error you’ll likely encounter after fixing fragmentation issues is a sudden increase in latency or throughput, as packets are now flowing efficiently without being broken down and reassembled.

Want structured learning?

Take the full Internet Protocol Deep Dives course →