Understanding Wireshark's Detection of Maximum Segment Size (MSS)

Wireshark is a powerful packet analyzer that enables network administrators, security professionals, and developers to inspect and understand network traffic at a deep level. One of the essential pieces of information Wireshark can reveal is the Maximum Segment Size (MSS). The MSS is an important parameter in TCP (Transmission Control Protocol) that defines the largest size of data that can be sent in a single segment of a TCP connection. Here's how Wireshark detects and displays the MSS during a network capture.

TCP Handshake and MSS Detection

The TCP handshake is initiated when a client establishes a connection with a server. This handshake involves three-way communication: SYN, SYN-ACK, and ACK. During this process, the MSS is often specified in the initial SYN packet. Wireshark analyzes the TCP packets during the handshake to identify the MSS value.

TCP Header Options for MSS

In the TCP header, among the various options, the MSS option stands out. This option is indicated by a specific value, typically 2 bytes for the option type and 2 bytes for the value. When the TCP SYN packet includes the MSS option, Wireshark extracts this value to provide detailed information about the connection.

Dissection of TCP Packets

Wireshark dissects each TCP packet and searches for the MSS option in the options field of the SYN packet. Once the MSS option is identified, it extracts the MSS value and displays it in the packet details. This process allows users to determine the maximum segment size that the sender is willing to accept in TCP communications.

Example of MSS Detection in Wireshark

When analyzing a packet including an MSS option, you might see something like this in the packet details:

Transmission Control ProtocolSource Port: 49152Destination Port: 80Sequence Number: 1Acknowledgment Number: 0Header Length: 40 bytesFlags: SYNOptions: Maximum Segment Size: 1460

In this example, the MSS is set to 1460 bytes, indicating the maximum size of TCP segments that the sender is willing to accept.

Viewing MSS Information with Display Filters

Wireshark provides powerful display filters to help users easily view packets containing MSS information. Using these filters can significantly enhance the efficiency of network analysis. For instance, the following display filter is used to filter for packets containing the MSS option:

Applying this filter will only show TCP packets that contain the MSS option, making it easier to find and analyze related data.

Summary

Wireshark detects the MSS by analyzing TCP packets during the handshake process, specifically by examining the options field in the TCP header. This enables users to gain detailed insight into the maximum segment sizes used in TCP communications, facilitating comprehensive network traffic analysis.

In your trace, the MSS option is found only in the SYN and SYN/ACK packets of the TCP connection establishment three-way handshake. In your trace, MSS is present only in packets 1, 2, 16, 17, 191897, and 191898, and in every one of those packets, the MSS is 1460. TCP packets with no data are mostly acknowledgements.