Script path-mtu

Script types: hostrule
Categories: safe, discovery

Script Summary

Performs simple Path MTU Discovery to target hosts.

TCP or UDP packets are sent to the host with the DF (don't fragment) bit set and with varying amounts of data. If an ICMP Fragmentation Needed is received, or no reply is received after retransmissions, the amount of data is lowered and another packet is sent. This continues until (assuming no errors occur) a reply from the final host is received, indicating the packet reached the host without being fragmented.

Not all MTUs are attempted so as to not expend too much time or network resources. Currently the relatively short list of MTUs to try contains the plateau values from Table 7-1 in RFC 1191, "Path MTU Discovery". Using these values significantly cuts down the MTU search space. On top of that, this list is rarely traversed in whole because:

  • the MTU of the outgoing interface is used as a starting point, and
  • we can jump down the list when an intermediate router sending a "can't fragment" message includes its next hop MTU (as described in RFC 1191 and required by RFC 1812)

Example Usage

nmap --script path-mtu target

Script Output

Host script results:
|_path-mtu: 1492 <= PMTU < 1500

Host script results:
|_path-mtu: PMTU == 1006



  • Kris Katterjohn

License: Same as Nmap--See