What Is MSS in Networking?
This page mentions older exam versions. See the Current Exam Context and Legacy Exam Context sections below for the updated mapping.
On This Page
Quick Definition
MSS stands for Maximum Segment Size. It is a setting in TCP connections that tells the other device the biggest chunk of data you can accept in one packet, not counting the headers. This prevents packets from being too large and breaking during transmission. Think of it as the maximum payload size your network interface can handle without fragmenting.
Commonly Confused With
MTU (Maximum Transmission Unit) is the total size of the largest IP packet that can be transmitted over a link, including the IP header and payload. MSS is only the TCP data portion, excluding all headers. MTU is a Layer 2/3 concept, while MSS is a Layer 4 concept. A common exam trick is to give MTU and ask for MSS, requiring subtraction of header sizes.
If the MTU is 1500, the maximum MSS for TCP over IPv4 is 1500 - 20 (IP) - 20 (TCP) = 1460.
TCP window size is the amount of data a sender can transmit before waiting for an acknowledgment, measured in bytes. MSS is the size of each individual segment. Window size is like the total number of seats on a train, while MSS is the size of each car. A larger window allows more segments to be in flight, but each segment is still limited by MSS.
A window size of 65535 bytes with an MSS of 1460 means up to about 44 segments can be sent before ACK.
Payload is a general term for the actual data being carried by a protocol. MSS is a specific limit on the payload size of a TCP segment. Not all payloads are TCP, and payload can include application layer data. MSS specifically applies to TCP segment payloads during the handshake.
In a TCP packet, the payload is the application data (e.g., part of a web page). The MSS restricts that payload to a maximum of 1460 bytes on Ethernet.
Must Know for Exams
MSS is a recurring topic in several IT certification exams, especially those covering TCP/IP fundamentals and network troubleshooting. In CompTIA Network+ (N10-008/009), MSS appears under Objective 1.5, which covers TCP and UDP protocols, and Objective 5.
3, which covers network troubleshooting methodologies. Candidates may be asked to identify the default MSS for Ethernet (1460 bytes) or to explain why a VPN connection is slow due to MTU/MSS mismatches. Exam questions often present a scenario where users on a VPN can connect but cannot browse certain websites, and the correct solution is to adjust the MSS setting on the VPN gateway.
In the Cisco CCNA (200-301), MSS is tested in the context of TCP operations and IP connectivity. The exam objectives include understanding TCP three-way handshake, windowing, and segmentation. CCNA questions might ask candidates to calculate the MSS given the MTU and header sizes, or to troubleshoot a scenario where a ping with DF flag set fails for a certain packet size.
The practical skill of configuring MSS on an interface using the “ip tcp adjust-mss” command is a known exam topic. In Juniper JNCIA-Junos, MSS is relevant to security policies and flow monitoring. Candidates may need to configure MSS clamping on a security policy or understand how Junos handles TCP MSS in ALGs.
The exam may also test knowledge of how MSS interacts with Path MTU Discovery. For the AWS Certified Advanced Networking - Specialty, MSS is important when designing hybrid networks with VPN connections or Direct Connect. The exam may include questions about optimizing throughput by setting MSS to match the link MTU.
In all these exams, the trap is often conflating MSS with MTU. Learners must remember that MSS is the data payload size, while MTU is the total packet size including headers. Another common exam topic is the impact of double encapsulation (e.
g., IPsec over GRE) on MSS. Recognizing that each layer adds headers helps candidates correctly calculate the required MSS adjustment. Multiple-choice questions might offer plausible but incorrect values, requiring candidates to perform the subtraction accurately.
Hands-on lab simulations may ask candidates to fix a slow connection by adjusting MSS on a router, testing both conceptual knowledge and command syntax.
Simple Meaning
Imagine you are mailing large documents through the post. The post office has rules about how big a single envelope can be. If your document is too big, you have to split it into multiple envelopes.
In computer networking, MSS is like that envelope size limit, but it applies to the actual data part of a network packet, not the packaging. When two computers talk over the internet using TCP, they first agree on an MSS value. This value is the largest amount of actual data that one computer will send in a single TCP segment.
It is calculated by taking the Maximum Transmission Unit (MTU) of the link, which is the total size of the whole packet including headers, and then subtracting the size of the TCP header and the IP header. For example, on a typical Ethernet network, the MTU is usually 1500 bytes. The IP header is typically 20 bytes, and the TCP header is also typically 20 bytes, leaving 1460 bytes for data.
So the default MSS for most Ethernet connections is 1460 bytes. However, this can change based on the network path. If a VPN or tunneling protocol adds extra headers, the MSS might need to be smaller to avoid fragmentation.
Fragmentation happens when a packet is too big for a router along the path, forcing the router to split it into smaller pieces. This is inefficient and can cause performance issues. By setting an appropriate MSS, devices ensure that data travels smoothly without needing to be broken apart along the way.
MSS is crucial for network performance, especially in environments like Wi-Fi, VPNs, or data centers where packet sizes can vary.
Full Technical Definition
The Maximum Segment Size (MSS) is a parameter in the TCP (Transmission Control Protocol) that defines the largest amount of data, measured in bytes, that a host is willing to receive in a single TCP segment. It is negotiated during the TCP three-way handshake. The MSS value is communicated in the MSS option field of the TCP SYN segment, and each endpoint can announce its own MSS.
The actual MSS used for the connection is typically the minimum of the two announced values. The standard default MSS for TCP over IPv4 on an Ethernet network is 1460 bytes, derived from the typical MTU of 1500 bytes minus the 20-byte IP header and the 20-byte TCP header. For IPv6, the default is 1440 bytes, accounting for the larger 40-byte IP header.
However, the actual MSS in a real network can be lower due to Path MTU Discovery (PMTUD). PMTUD works by setting the Don’t Fragment (DF) flag in the IP header. If a router along the path cannot forward the packet because it exceeds the link’s MTU, the router discards the packet and sends an ICMP Fragmentation Needed message back to the source.
The source then reduces its assumed MTU, and consequently its MSS, until packets pass through without issue. Modern operating systems also support TCP MSS clamping. This is a technique used by routers and firewalls to overwrite the MSS value in TCP SYN packets, ensuring that traffic traversing a link with a smaller MTU (like a PPPoE or VPN tunnel) does not cause fragmentation.
For example, when a client connects through a VPN, the VPN encapsulation adds additional headers (e.g., GRE, IPsec). If the original MSS is 1460, the total packet size could exceed the MTU of the underlying link.
By clamping the MSS to a lower value, such as 1400 bytes, the router prevents fragmentation and improves performance. In exam contexts, MSS is often tested in relation to TCP performance tuning, troubleshooting slow connections over VPNs, and understanding the interplay between MTU, fragmentation, and path discovery. It is a foundational concept for networking certifications like CompTIA Network+, Cisco CCNA, and Juniper JNCIA.
Real-Life Example
Think of MSS like a luggage size limit at an airport. When you check in for a flight, the airline has strict rules about how big your suitcase can be. If your suitcase is too large, you either have to reduce its contents or pay extra fees.
In some cases, the airline might force you to split your belongings into multiple smaller bags. In computer networking, MSS is that maximum baggage size for data packets. The network is the airline, and the packets are your suitcases.
The MTU is the total space allowed for a suitcase plus its handle and wheels (metadata). The MSS is just the space for the clothes inside (the actual data). If you pack too many clothes into a suitcase that exceeds the airline’s limit, the airline might force you to repack it into smaller suitcases, which takes time and effort.
In networking, this repacking is called fragmentation. Fragmentation slows everything down because the receiving device has to reassemble the pieces. Now, imagine you are connecting two airports via a small regional airline that has even stricter size limits.
The main airline can coordinate with the regional one to tell passengers to pack smaller bags. This coordination is like MSS negotiation between two computers. By agreeing on a smaller MSS, they avoid awkward repacking at the checkpoint (the router).
Another real-life example is moving furniture into an elevator. The elevator has a maximum weight and size limit. If your sofa is too big, you have to disassemble it and take multiple trips.
MSS prevents that inefficiency by ensuring each “trip” (packet) carries a load that fits within the elevator’s limits. In a corporate network, an administrator might lower the MSS on a VPN connection to avoid packet drops, similar to advising movers to use a smaller truck for a narrow street.
Why This Term Matters
MSS matters because it directly impacts network performance, reliability, and security. When MSS is set incorrectly, it can cause a range of problems. The most common issue is fragmentation.
When a TCP segment is too large to fit within the path MTU, the IP layer must fragment it into smaller packets. Fragmentation consumes router CPU resources, increases latency, and can lead to packet loss if fragments are dropped. If the DF flag is set, which is common in modern networks, oversized packets are simply discarded, resulting in TCP retransmissions and slow application performance.
This is especially problematic in VPN environments, where encapsulation overhead reduces the effective MTU. For example, a standard PPPoE DSL connection adds 8 bytes of overhead, reducing the effective MTU from 1500 to 1492. If the MSS is not adjusted, the client may experience timeouts when accessing websites.
MSS also plays a role in security. Attackers can exploit MSS behavior to perform fragmentation-based attacks or TCP injection. Network administrators often use MSS clamping as a mitigation technique.
MSS is a key factor in TCP throughput calculations. The TCP window size and the MSS together determine how much data can be in transit before an acknowledgment is required. A larger MSS can improve throughput by reducing the number of segments needed to send a given amount of data.
In data centers, tuning MSS can optimize storage traffic and virtualization workloads. For IT professionals, understanding MSS is essential for diagnosing network bottlenecks, configuring firewalls and routers, and ensuring smooth VPN connectivity. In help desk scenarios, a user reporting that “the internet is slow” might actually be experiencing Path MTU Discovery issues related to MSS.
Knowing how to check and adjust MSS is a practical skill covered in many certification exams.
How It Appears in Exam Questions
MSS appears in exam questions in three main patterns: scenario-based troubleshooting, calculation, and configuration. In scenario-based troubleshooting, the question describes a network issue. For example: Users at a branch office connect to the corporate network via a VPN.
They can establish the VPN tunnel and ping internal servers, but they cannot access internal web pages. The IT team notices that large file transfers are slow. The question asks for the most likely cause.
The answer involves MTU/MSS mismatch. The follow-up may ask which command or setting to use to fix it, such as adjusting the MSS value on the VPN gateway. Another scenario involves a client that can connect to a website but cannot load images, while text content loads fine.
This points to a packet size issue, and the correct answer is to reduce MSS. Calculation questions provide an MTU value and header sizes and ask for the resulting MSS. For instance: “A network has an MTU of 1500 bytes.
The IP header is 20 bytes, and the TCP header is 20 bytes. What is the default MSS?” The answer is 1460. More complex calculations may involve encapsulation overhead. Example: “A GRE tunnel adds 24 bytes of overhead.
What should the MSS be set to if the underlying link MTU is 1500?” The answer is 1500 - 20 (IP) - 20 (TCP) - 24 (GRE) = 1436. Configuration questions ask about specific commands. In Cisco IOS, the command is “ip tcp adjust-mss 1400” applied to an interface.
The question may ask where to apply this command (on the interface facing the client or the tunnel). In Juniper, the configuration may involve setting tcp-mss in a security policy. Some questions test the concept of MSS clamping and ask which device performs it (typically a router or firewall along the path).
Another variation asks about the effect of setting the DF flag and its relationship to PMTUD. For example: “A device sends a packet with DF set. The packet is too large for a router along the path.
What happens?” The router sends an ICMP Type 3 Code 4 message. If that ICMP message is blocked by a firewall, PMTUD fails, and the connection may stall. These questions require understanding of the entire chain, not just the definition of MSS.
True/false questions might say: “MSS is the total size of a TCP segment including headers.” The correct answer is false. Finally, some questions ask about default values: “What is the default MSS for TCP over IPv6 on Ethernet?
” Answer: 1440 bytes.
Practise MSS Questions
Test your understanding with exam-style practice questions.
Example Scenario
You work as a junior network administrator for a company with a sales team that works remotely. The sales team connects to the corporate network using a VPN client installed on their laptops. Recently, several salespeople have reported that they can connect to the VPN and send emails, but the company’s internal customer relationship management (CRM) web application is extremely slow.
Sometimes pages time out completely. You suspect a problem with packet fragmentation. You run a ping test from one of the remote laptops to the internal CRM server. You start with a default ping size of 32 bytes, which works fine.
Then you increase the size to 1472 bytes and set the Don’t Fragment flag. The ping times out. This tells you that the path MTU is smaller than 1500 bytes, likely due to the VPN encapsulation.
The VPN client is adding 40 or more bytes of overhead (IPsec and ESP headers), making the total packet exceed the 1500 byte MTU somewhere in the path. The CRM web pages require larger data segments, so they get dropped. To solve this, you need to reduce the MSS on the VPN connection.
You check the VPN gateway configuration. You find a setting called “TCP MSS clamping” and set it to 1400 bytes. This forces the VPN gateway to rewrite the MSS value in TCP SYN packets, telling the remote laptops to send data segments no larger than 1400 bytes.
After applying the change, the sales team reports that the CRM application loads normally. File transfers also improve. This scenario demonstrates how MSS directly affects application performance in a real-world VPN environment.
It also shows the diagnostic process: starting with a ping test, interpreting the failure with DF set, and applying the correct fix. In an exam, you might be asked to identify the issue, calculate the appropriate MSS, or specify the configuration command.
Common Mistakes
Thinking MSS includes TCP and IP headers.
MSS specifically refers to the data payload size only. Headers are excluded. The total packet size is MTU, not MSS.
Remember: MSS = MTU - (IP header + TCP header). Headers are not part of the MSS.
Confusing MSS with MTU and using them interchangeably in exam answers.
MTU is the maximum size of the entire IP packet, including headers. MSS is only the TCP data portion. Using them interchangeably leads to wrong calculations and diagnoses.
Always clarify: MTU is the whole package, MSS is just the contents. When a question asks for data segment size, it's MSS.
Assuming MSS is always 1460 bytes in all networks.
The default MSS of 1460 applies only to standard Ethernet with no encapsulation. VPNs, tunnels, PPPoE, and VLAN tagging all reduce the effective MSS.
Always consider the path overhead. If the network uses tunnels or QoS tags, subtract those bytes from the base MTU before calculating MSS.
Believing MSS is set by the receiver only.
Both endpoints announce their MSS during the TCP handshake, and the actual MSS used is the minimum of the two. It is a negotiated parameter.
Think of MSS as a mutual agreement. The sender also has a limit. The smaller of the two values is used.
Applying MSS adjustment on the wrong interface.
MSS clamping should be applied on the interface that is closest to the device whose TCP traffic needs adjustment, often the ingress interface of a router or the tunnel interface.
Identify the bottleneck. Apply the command on the interface where the large packets enter the tunnel or where the MTU decreases.
Exam Trap — Don't Get Fooled
{"trap":"The exam states: 'A user cannot access a website. The network has an MTU of 1500. You set the MSS to 1500 to fix the problem.' Is this correct?","why_learners_choose_it":"Learners confuse MSS with MTU and think increasing MSS will allow more data, solving the problem.
They also may think setting MSS equal to MTU is efficient.","how_to_avoid_it":"MSS can never equal MTU because MSS excludes headers. Setting MSS to 1500 would result in packets that are too large (1500 data + 40 headers = 1540 bytes), causing fragmentation or drop.
The correct maximum MSS is 1460 for standard Ethernet."
Step-by-Step Breakdown
Step 1: Client initiates TCP connection (SYN).
The client sends a TCP SYN segment to the server. Inside this SYN segment, the client includes the MSS option field, announcing the maximum segment size it can receive. This value is typically based on the MTU of the client's network interface minus IP and TCP header sizes.
Step 2: Server responds with SYN-ACK.
The server receives the SYN and sees the client's MSS. The server then sends back a SYN-ACK segment, which also includes its own MSS option. This is the server's announced MSS, usually based on its own interface MTU.
Step 3: Client sends final ACK.
The client completes the three-way handshake by sending an ACK. At this point, both sides know each other's MSS. The actual MSS used for the connection is set to the smaller of the two announced values.
Step 4: Path MTU Discovery (optional but common).
The client or server may perform PMTUD by sending packets with the DF flag set. If a router along the path cannot forward a packet due to MTU limits, it sends an ICMP Fragmentation Needed message. The source reduces its assumed path MTU and recalculates MSS accordingly.
Step 5: Data transmission begins.
Both endpoints now segment the application data into chunks no larger than the agreed MSS. Each chunk is placed in a TCP segment, encapsulated in an IP packet, and sent across the network. This minimizes the risk of fragmentation.
Step 6: MSS Clamping (if configured).
A router or firewall on the path may overwrite the MSS value in SYN packets to enforce a smaller size. This is useful for links with encapsulation overhead (VPNs, PPPoE). The clamping device intercepts the SYN, reduces the MSS option, and forwards the modified packet.
Practical Mini-Lesson
MSS is a fundamental TCP parameter that networking professionals must understand to ensure optimal performance and troubleshoot connectivity issues. In practice, the most common task involving MSS is adjusting it for VPN tunnels. When a client connects to a corporate network via IPsec VPN, the VPN adds encapsulation headers.
For example, a standard IPsec tunnel with ESP in tunnel mode adds about 50-60 bytes of overhead. If the underlying network has an MTU of 1500, the effective payload size drops. Without adjusting MSS, TCP segments of 1460 bytes result in IP packets of 1500 bytes, which then get encapsulated into packets of 1550-1560 bytes, exceeding the MTU.
This causes fragmentation or, if DF is set, packet drops. The symptom is that the VPN connection establishes, but data transfer is slow or some applications fail. The fix is to configure MSS clamping on the VPN gateway.
In Cisco IOS, the command is “ip tcp adjust-mss <value>” applied to the intranet-facing interface. The value is calculated as the link MTU minus the IP header (20) minus the TCP header (20) minus any encapsulation overhead. For a PPPoE link, the overhead is 8 bytes, so the MSS should be 1500 - 40 - 8 = 1452.
For a GRE tunnel, the overhead is 24 bytes, so MSS becomes 1436. For IPsec, it could be as low as 1360. Professionals should also know how to test path MTU. The classic method is using ping with DF set.
For example, on Windows: ping -f -l 1472 8.8.8.8. If it fails, reduce the size until it works. The last successful size plus 28 (IP and ICMP headers) gives the path MTU. The MSS is that value minus 40.
Another practical consideration is that some operating systems allow setting the MSS globally via registry or sysctl. For instance, on Linux, you can set the MSS using iptables: iptables -A FORWARD -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu. This automatically clamps MSS to the path MTU.
However, this only works if PMTUD is functional. If ICMP messages are blocked by firewalls, this approach fails, and manual clamping is needed. Finally, be aware that some cloud providers and CDNs have specific MTU requirements.
For example, AWS Direct Connect uses jumbo frames (MTU 9000) in some cases, which allows larger MSS and better throughput. When designing hybrid networks, consider the MSS end-to-end to avoid surprises. MSS management is a bread-and-butter skill for network engineers.
Memory Tip
MSS = Max Size of Stuff (data), not headers. Think: 1460 for Ethernet, subtract tunnel overhead.
Covered in These Exams
Current Exam Context
Current exam versions that test this topic — use these objectives when studying.
Legacy Exam Context
Older materials may mention these exam versions, but learners should use the current objectives for their target exam.
N10-008N10-009(current version)Related Glossary Terms
802.1Q is the networking standard that allows multiple virtual LANs (VLANs) to share a single physical network link by tagging Ethernet frames with VLAN identification information.
AAA (Authentication, Authorization, and Accounting) is a security framework that controls who can access a network, what they are allowed to do, and tracks what they did.
An A record is a type of DNS resource record that maps a domain name to an IPv4 address.
Frequently Asked Questions
What is the default MSS for Ethernet?
The default MSS for TCP over IPv4 on Ethernet is 1460 bytes, calculated from the standard MTU of 1500 minus 20 bytes for the IP header and 20 bytes for the TCP header.
Does MSS include the TCP header?
No. MSS (Maximum Segment Size) refers only to the data portion of a TCP segment, not the TCP or IP headers. The headers are separate and add overhead.
Why does my VPN slow down if MSS is not adjusted?
VPN encapsulation adds extra headers to each packet. If the original packet is already at the MTU limit, adding VPN headers makes the total packet exceed the link's MTU, causing fragmentation or packet drops, which slows performance.
How do I find the correct MSS value for my network?
Find the path MTU using ping with the Don’t Fragment flag. The largest successful packet size plus 28 (ICMP and IP headers) is the path MTU. Subtract 40 (20 IP + 20 TCP) to get the MSS. Adjust for any known encapsulation overhead.
Can MSS be larger than 1460?
Yes, if the underlying network supports jumbo frames (MTU 9000 or larger). In data centers, MSS can be 8960 bytes or more. However, the entire path must support the larger MTU.
Is MSS determined by the client or the server?
Both. During the TCP three-way handshake, each side announces its MSS. The actual MSS used is the smaller of the two values. This ensures both ends can handle the segment size.
What is MSS clamping?
MSS clamping is a technique used by routers or firewalls to overwrite the MSS value in TCP SYN packets, enforcing a smaller segment size. It prevents fragmentation on links with reduced MTU, such as VPNs or PPPoE connections.
Summary
MSS, or Maximum Segment Size, is a critical TCP parameter that defines the largest amount of data that can be sent in a single TCP segment, excluding headers. It is negotiated during the TCP three-way handshake and is derived from the path MTU. For standard Ethernet, the default MSS is 1460 bytes, but this value decreases when encapsulation overhead from VPNs, tunnels, or PPPoE is present.
Understanding MSS is essential for network professionals because an incorrect MSS leads to fragmentation, packet loss, and degraded application performance. In certification exams, MSS appears in troubleshooting scenarios, calculation questions, and configuration tasks, particularly for CompTIA Network+, Cisco CCNA, and Juniper JNCIA. Common mistakes include confusing MSS with MTU, assuming a fixed default value, and applying adjustments on the wrong interface.
To master MSS, learners should practice calculating MSS from MTU and headers, recognize the symptoms of MSS mismatch, and know the relevant commands for clamping. Ultimately, MSS is a foundational concept that bridges Layer 3 and Layer 4 of the OSI model, and a solid grasp of it is a requirement for any IT professional dealing with network performance and reliability.