We often seek to understand how users connect to our services. Are they on a home network, a mobile connection, or are they using a VPN? While deep packet inspection is invasive, a surprisingly simple piece of metadata can reveal surprising information: the Maximum Transmission Unit (MTU). By analyzing the MTU values from TCP handshakes, we can create "fingerprints" that reveal the underlying network technology a user is on.
This article explores how different technologies leave their mark on the MTU and demonstrates how a simple SQL query can turn this data into actionable intelligence.
What is MTU and Why Does it Change?
The Maximum Transmission Unit (MTU) is the largest size of a data packet, or frame, that a network-connected device can transmit. For standard Ethernet networks, this value is typically 1500 bytes. This means that any data sent over the network is chopped into 1500-byte chunks.
Encapsulation and Tunneling
Things get interesting when we introduce tunneling protocols, like those used by VPNs or mobile networks. These protocols wrap the original data packet inside another packet, a process called encapsulation. This outer packet has its own set of headers for routing and management.
This encapsulation "steals" space from the original 1500 bytes available on the physical network. For example, if a tunneling protocol adds 60 bytes of headers, the maximum size for the original data packet is now only 1440 bytes (1500 - 60).
The Problem with Fragmentation
What happens if a device tries to send a 1500-byte packet through this 1440-byte tunnel? The packet must be broken into smaller pieces, a process called fragmentation. While this works, it's highly inefficient. Fragmentation consumes CPU resources on the router performing it, adds extra header overhead to each fragment, and requires the receiving device to reassemble the pieces. This all leads to lower speeds and higher latency.
To avoid this performance penalty, operating systems and network devices are designed to reduce the MTU of the connection to account for the tunnel's overhead. The amount of this reduction is a direct result of the specific tunneling protocol being used. This predictable reduction is the key to MTU fingerprinting.
A Guide to Common MTU Values
Different technologies have different overheads, resulting in distinct MTU values.
WireGuard
WireGuard is a modern VPN known for its efficiency, but it still adds overhead.
- IPv4 Overhead: 60 bytes (20-byte IPv4 header + 8-byte UDP header + 32-byte WireGuard header).
- IPv6 Overhead: 80 bytes (40-byte IPv6 header + 8-byte UDP header + 32-byte WireGuard header).
This leads to predictable MTU values for users on a standard 1500-byte network:
1500 - 60 = 1440 bytes(WireGuard over IPv4)1500 - 80 = 1420 bytes(WireGuard over IPv6)
A special case arises with ISPs that use DS-Lite (Dual-Stack Lite) to carry IPv4 traffic over an IPv6 network. This adds another 40-byte IPv6 header, further reducing the MTU.
1420 - 40 = 1380 bytes(WireGuard over DS-Lite)
OpenVPN
OpenVPN is another popular VPN solution, but its fingerprint is more complex. Instead of setting a static interface MTU, OpenVPN often uses a feature called mssfix. This dynamically adjusts the Maximum Segment Size (MSS) value within the TCP headers of encapsulated packets to prevent fragmentation.
The MSS is the MTU minus the IP and TCP header sizes (typically 40 bytes for IPv4). The exact MSS value, and thus the effective MTU, depends on OpenVPN's configuration—including the transport protocol (UDP or TCP), cipher, MAC algorithm, and compression. As noted by security researcher ValdikSS, these unique MSS values can be used to fingerprint a connection with high precision. For example, a common configuration might result in an MSS of 1369, which corresponds to an effective MTU of 1409 (1369 + 40).
For general analysis, connections with an MTU around 1400 or 1380 bytes are often indicative of OpenVPN or other VPN usage, especially when seen in conjunction with other factors.
Mobile Networks (LTE & 5G)
Mobile networks present another fascinating case of MTU modification. When your phone connects to the internet, its data is tunneled through the carrier's network using the GPRS Tunnelling Protocol (GTP). This encapsulation adds its own layer of headers.
As detailed by Nick vs Networking, the typical overhead for GTP traffic over an Ethernet transport network is 50 bytes:
- 14 bytes for the Ethernet header
- 20 bytes for the outer IPv4 header
- 8 bytes for the UDP header
- 8 bytes for the GTP header
This means that for a mobile carrier using a standard 1500-byte MTU on their transport network, the maximum MTU available to the user's device is 1450 bytes (1500 - 50).
Mobile devices don't guess this value; they are explicitly told what MTU to use by the network during the connection setup process (via Protocol Configuration Options). Mobile operators have two choices to avoid fragmentation:
- Increase Transport MTU: Enable jumbo frames (e.g., 1600 bytes or more) on their internal network to accommodate the 50-byte overhead and still provide a full 1500-byte MTU to the user.
- Lower Advertised MTU: Advertise a lower MTU to the user's device. This is why values like 1450 are common. Some operators may even configure a more conservative MTU, such as 1300 bytes, to ensure stability across all parts of their network.
Other Common Values
- Standard Ethernet: The baseline of 1500 bytes.
- PPPoE: Common for DSL connections, adds 8 bytes of overhead, resulting in an MTU of 1492 bytes.
- IPv6 Minimum: The IPv6 specification mandates a minimum MTU of 1280 bytes, so this value is also a significant marker.
Analysis with SQL
With this knowledge, we can analyze network logs to classify user connections. The following SQL query demonstrates how to bucket and attribute MTU values from a massive dataset, turning raw numbers into meaningful labels.
The query works in several stages:
- Extract Data: It starts by parsing the MTU from a fingerprint string in the logs.
- Bucket MTUs: It uses a
CASEstatement to group MTUs. Specific, known values (like 1500, 1440, 1420, 1380) are put into their own buckets. Jumbo frames (>1500) are grouped into 100-byte buckets, and everything else is grouped into 20-byte buckets. - Attribute Buckets: In the final
SELECT, anotherCASEstatement translates these numeric buckets into human-readable descriptions based on the fingerprints we've identified.
The Query
-- Bucketing logic and attribution informed by research from:
-- https://ripx80.de/posts/06-wg-mtu/ (WireGuard)
-- https://medium.com/@ValdikSS/detecting-vpn-and-its-configuration-and-proxy-users-on-the-server-side-1bcc59742413 (OpenVPN)
-- https://nickvsnetworking.com/mtu-in-lte-5g-transmission-networks-part-1/ (Mobile Networks)
WITH base_data AS (
SELECT
toInt32OrNull(splitByChar(':', splitByChar(',', synner_fingerprint)[1])[4]) AS mtu,
toInt32OrNull(splitByChar(':', splitByChar(',', synner_fingerprint)[1])[5]) AS wsize,
toInt32OrNull(splitByChar(':', splitByChar(',', synner_fingerprint)[2])[1]) AS scale,
(tls.handshake_rtt_us - tcp.min_rtt_us) >= 65000 AS is_high_latency
FROM logs.client_logs
WHERE time >= '2025-07-01' AND shielded = 0
),
main_aggs AS (
SELECT
CASE
WHEN mtu = 1500 THEN 1500
WHEN mtu = 1440 THEN 1440
WHEN mtu = 1420 THEN 1420
WHEN mtu = 1380 THEN 1380
WHEN mtu > 1500 THEN 1501 + intDiv(mtu - 1501, 100) * 100
ELSE intDiv(mtu, 20) * 20
END AS mtu_bucket,
countIf(is_high_latency) AS high_latency_count,
countIf(not is_high_latency) AS normal_latency_count,
round(avg(wsize * pow(2, scale))) AS avg_real_wsize
FROM base_data
WHERE mtu IS NOT NULL AND wsize IS NOT NULL AND scale IS NOT NULL
GROUP BY mtu_bucket
),
top_wsizes AS (
SELECT
mtu_bucket,
groupArray((wsize, cnt)) AS top_wsizes
FROM
(
SELECT
CASE
WHEN mtu = 1500 THEN 1500
WHEN mtu = 1440 THEN 1440
WHEN mtu = 1420 THEN 1420
WHEN mtu = 1380 THEN 1380
WHEN mtu > 1500 THEN 1501 + intDiv(mtu - 1501, 100) * 100
ELSE intDiv(mtu, 20) * 20
END AS mtu_bucket,
wsize,
count() AS cnt,
row_number() OVER (PARTITION BY mtu_bucket ORDER BY cnt DESC) AS rn
FROM base_data
WHERE mtu IS NOT NULL AND wsize IS NOT NULL AND scale IS NOT NULL
GROUP BY mtu_bucket, wsize
)
WHERE rn <= 5
GROUP BY mtu_bucket
),
top_scales AS (
SELECT
mtu_bucket,
groupArray((scale, cnt)) AS top_scales
FROM
(
SELECT
CASE
WHEN mtu = 1500 THEN 1500
WHEN mtu = 1440 THEN 1440
WHEN mtu = 1420 THEN 1420
WHEN mtu = 1380 THEN 1380
WHEN mtu > 1500 THEN 1501 + intDiv(mtu - 1501, 100) * 100
ELSE intDiv(mtu, 20) * 20
END AS mtu_bucket,
scale,
count() AS cnt,
row_number() OVER (PARTITION BY mtu_bucket ORDER BY cnt DESC) AS rn
FROM base_data
WHERE mtu IS NOT NULL AND wsize IS NOT NULL AND scale IS NOT NULL
GROUP BY mtu_bucket, scale
)
WHERE rn <= 5
GROUP BY mtu_bucket
)
SELECT
CASE
WHEN mtu_bucket IN (1500, 1440, 1420, 1380) THEN toString(mtu_bucket)
WHEN mtu_bucket > 1500 THEN concat(toString(mtu_bucket), '-', toString(mtu_bucket + 99))
ELSE concat(toString(mtu_bucket), '-', toString(mtu_bucket + 19))
END AS mtu_range,
CASE
WHEN mtu_bucket = 1500 THEN 'Standard Ethernet'
WHEN mtu_bucket = 1480 THEN 'Likely PPPoE (e.g., 1492)'
WHEN mtu_bucket = 1460 THEN 'Likely DS-Lite/GRE Tunnel'
WHEN mtu_bucket = 1440 THEN 'Likely Mobile LTE/5G (e.g., 1450) / WireGuard over IPv4'
WHEN mtu_bucket = 1420 THEN 'WireGuard over IPv6'
WHEN mtu_bucket = 1400 THEN 'Likely OpenVPN / Mobile'
WHEN mtu_bucket = 1380 THEN 'Likely OpenVPN / WireGuard over DS-Lite / Mobile'
WHEN mtu_bucket = 1300 THEN 'Likely Mobile LTE/5G configured'
WHEN mtu_bucket = 1280 THEN 'IPv6 Minimum'
WHEN mtu_bucket > 1500 THEN 'Jumbo Frame'
ELSE 'Other'
END AS mtu_attribution,
high_latency_count,
normal_latency_count,
round(high_latency_count / (high_latency_count + normal_latency_count), 2) AS high_latency_ratio,
top_wsizes,
top_scales,
avg_real_wsize
FROM main_aggs
LEFT JOIN top_wsizes USING (mtu_bucket)
LEFT JOIN top_scales USING (mtu_bucket)
WHERE (high_latency_count + normal_latency_count) > 10000
ORDER BY mtu_bucket
LIMIT 50 FORMAT Vertical
Why Jumbo Frames Matter
Jumbo frames (MTU values greater than 1500 bytes) represent a fascinating edge case in MTU fingerprinting. These frames, typically ranging from 9000-9216 bytes, are primarily used in high-performance computing environments, data centers, and enterprise networks where throughput optimization is critical.
When we detect jumbo frame MTUs in our analysis, they often indicate:
- Enterprise Users: Corporate networks frequently enable jumbo frames for internal communications
- Data Center Traffic: Cloud services and CDNs often use jumbo frames between their infrastructure
- High-Performance Applications: Video streaming, large file transfers, and backup operations benefit from larger frame sizes
- Network Misconfiguration: Occasionally, jumbo frames appear due to network equipment misconfiguration
The presence of jumbo frames can help distinguish between consumer and enterprise traffic, providing valuable context for traffic classification and security analysis.
Practical Use Cases and Applications
MTU fingerprinting provides actionable intelligence across multiple security and operational domains:
Security Applications
VPN Detection for Compliance: Organizations can identify employees bypassing corporate network policies by using personal VPNs, ensuring compliance with data governance requirements.
Bot Traffic Classification: Automated traffic from residential proxy networks often exhibits consistent MTU patterns that differ from genuine residential users, enabling more accurate bot detection.
Threat Intelligence Enhancement: Correlating MTU patterns with other indicators helps build comprehensive threat profiles and improves attack attribution.
Network Operations
Performance Optimization: Understanding the MTU distribution of your user base helps optimize content delivery and reduce fragmentation-related performance issues.
Infrastructure Planning: MTU analysis reveals the underlying network technologies your users employ, informing CDN placement and capacity planning decisions.
Quality of Service: Different MTU patterns correlate with connection quality, enabling proactive support for users on constrained networks.
Business Intelligence
Market Analysis: Geographic and demographic patterns in MTU distribution reveal technology adoption trends and market characteristics.
User Experience Optimization: Identifying users on mobile or constrained networks enables adaptive content delivery and interface optimization.
Dynamic Analysis vs Static IP Databases
MTU fingerprinting represents a fundamental shift from static to dynamic threat intelligence, offering several critical advantages over traditional IP reputation databases:
Real-Time Adaptation
Static IP databases suffer from inherent staleness. A residential IP address might be flagged as malicious based on historical activity, but MTU fingerprinting analyzes the current network configuration. This dynamic approach captures the actual infrastructure being used at the moment of connection, providing more accurate and timely intelligence.
Circumvention Resistance
Attackers can easily rotate IP addresses or use clean residential proxies to bypass static blacklists. However, they cannot easily manipulate the fundamental network characteristics that influence MTU values. The MTU is determined by the underlying network infrastructure, making it significantly harder to spoof or manipulate.
Granular Classification
Where IP databases provide binary classifications (malicious/benign), MTU fingerprinting offers nuanced insights into the specific technologies and configurations in use. This granularity enables more sophisticated risk assessment and response strategies.
Reduced False Positives
Static databases often flag legitimate users sharing IP addresses with malicious actors (common with residential ISPs and mobile carriers). MTU fingerprinting focuses on network behavior rather than IP reputation, significantly reducing false positive rates while maintaining security effectiveness.
Infrastructure Transparency
MTU analysis reveals the actual network path and technologies involved in a connection, providing transparency that static IP databases cannot match. This visibility enables more informed security decisions and better understanding of threat actor capabilities.
Conclusion
MTU fingerprinting transforms network metadata into actionable intelligence, revealing the hidden infrastructure behind every connection. Unlike static databases that rely on historical reputation, this dynamic analysis technique provides real-time insights into network technologies, user behaviors, and potential security threats.
By understanding MTU patterns, security teams can identify VPN usage, classify mobile traffic, detect residential proxy abuse, and optimize network performance. The technique's resistance to circumvention and low false-positive rates make it an invaluable addition to modern security architectures.
As network technologies continue to evolve, MTU fingerprinting provides a stable foundation for understanding and classifying traffic based on fundamental network characteristics rather than ephemeral indicators. This approach enables more robust, adaptive, and intelligent network security and operations.
