I've been experimenting with the ping utility on Linux. I set a mtu of 500 bytes on my router. Now, when I ping to an external host, I get the following output:
ping -c 3 -s 1300 10.0.2.1
PING 10.0.2.1 (10.0.2.1) 1300(1328) bytes of data.
From 10.0.1.254 icmp_seq=1 Frag needed and DF set (mtu = 500)
1308 bytes from 10.0.2.1: icmp_seq=2 ttl=62 time=1.12 ms
1308 bytes from 10.0.2.1: icmp_seq=3 ttl=62 time=1.14 ms
--- 10.0.2.1 ping statistics --- 3 packets transmitted, 2 received, +1 errors, 33% packet loss, time 2000ms rtt min/avg/max/mdev = 1.123/1.134/1.146/0.035 ms
So, the first message is discarded by the router, because the mtu of the interface was exceeded. That was expected, because the DF flag is set by default. Therefore, he can't fragment and the error occurs, so far so good. But what happened to the other two packets? Why did they get through? I can imagine that the ping tool, after getting the ICMP error, doesn't set the DF flag in further packets, so that they can be fragmented. Is that right? Where can I find the "official" explanation of this?
Thank you very much!
SOLUTION: It is part of the PMTUD protocol.
http://www.cisco.com/c/en/us/support/docs/ip/generic-routing-encapsulation-gre/25885-pmtud-ipfrag.html#t4
Best Answer
When a router should fragment but it receives the IP datagram with DF flag set, it sends ICMP (type should fragment but DF is set) to the source. Then the source adjust the MTU and it send again the datagram. This is how PMTUD works.
What happens here is that after you receives the ICMP from the router adjust the MTU to 500 for the path so the following Ping Requests you are sending have the DF flag set, but they are fragmented at source (meaning that your machine is sending the Ping Request fragmented in several datagrams).