🌐 MTU & MSS Calculator – Understand Network Header Overhead
Every network packet travels through layers of protocol headers before its payload reaches the application. The MTU and MSS Calculator demystifies this by computing the exact TCP Maximum Segment Size (MSS) for any combination of interface MTU, encapsulation protocol, and IP/TCP options — helping network engineers eliminate fragmentation, optimise throughput, and correctly configure MSS clamping.
MTU vs MSS: What's the Difference?
MTU (Maximum Transmission Unit) is the largest Layer-2 frame a network interface will transmit — typically 1500 bytes for standard Ethernet. MSS (Maximum Segment Size) is a TCP-level concept: the largest payload a single TCP segment can carry inside that frame. The relationship is simple:
MSS = MTU − IP Header − TCP Header − Options − Encapsulation Overhead Example (plain Ethernet, IPv4, TCP): MSS = 1500 − 20 − 20 = 1460 bytes
Why Encapsulation Eats Into Your MSS
When you add a tunnel or overlay protocol, every packet gets wrapped in additional headers. These headers consume space, shrinking the usable payload of the inner packet. The table below shows common encapsulation overheads:
| Encapsulation | Overhead | Typical Inner MSS (1500 MTU, IPv4/TCP) |
|---|---|---|
| None (plain Ethernet) | 0 B | 1460 B |
| PPPoE | 8 B | 1452 B |
| GRE | 24 B | 1436 B |
| VXLAN | 50 B | 1410 B |
| WireGuard | 60 B | 1400 B |
| GRE + IPsec | 58 B | 1382 B |
| IPsec ESP Tunnel | 73 B | 1367 B |
Path MTU Discovery and Fragmentation
In practice, the bottleneck MTU is not always on the local interface — it may be on a router or firewall further along the path. Path MTU Discovery (PMTUD) is the mechanism by which a host discovers the minimum MTU across the entire path by sending packets with the Don't Fragment (DF) bitset. If a router cannot forward a packet without fragmenting it, it sends an ICMP "Fragmentation Needed" message back to the sender.
When ICMP is blocked by firewalls, PMTUD breaks silently — causing TCP sessions to stall or time out. Enter the remote path MTU in the advanced options to see if a bottleneck exists and what MSS clamp value to apply.
MSS Clamping: The Practical Fix
Rather than relying on PMTUD, many administrators apply MSS clamping on the gateway device. This intercepts TCP SYN packets and rewrites the MSS option to match the safe value for the path. The calculator outputs ready-to-use iptables and nftables commands based on your configuration.
IPv4 vs IPv6 Header Sizes
IPv4 uses a 20-byte base header, while IPv6 uses a 40-byte base header. Extension headers (routing, fragmentation, hop-by-hop options) add further overhead in IPv6. This means an IPv6 TCP session on a 1500-byte Ethernet link starts with a base MSS of 1500 − 40 − 20 = 1440 bytes versus 1460 bytes for IPv4, before any encapsulation.
Additionally, RFC 8200 mandates a minimum IPv6 MTU of 1280 bytes — the calculator will warn you if your configured MTU falls below this threshold.
Jumbo Frames for High-Performance Networking
Data-centre and storage networks often configure jumbo frames with MTUs of 9000 bytes or larger. At 9000 bytes, a plain IPv4/TCP session achieves an MSS of 8940 bytes, dramatically reducing the per-packet CPU overhead of header processing and improving throughput for large file transfers, NFS, and iSCSI workloads.
MPLS Label Stacks
Each MPLS label adds 4 bytes of overhead. A three-label stack (common in MPLS VPN deployments with BGP-free cores) adds 12 bytes, reducing a 1500-byte Ethernet MSS to 1500 − 12 − 20 − 20 = 1448 bytes. Use the MPLS label count input to model your specific label stack depth accurately.
Reverse Mode: MSS to Required MTU
Switch to MSS → MTU mode to plan in the opposite direction. If your application requires a specific MSS (for example, 1350 bytes to accommodate a double-stacked VPN), the calculator tells you the minimum interface MTU needed to support it without fragmentation.