For traffic analysis, it helps to know how a user reached the service. Are they on a home network, a mobile connection, or a VPN? Deep packet inspection is invasive, but TCP handshake metadata can still carry useful context about the Maximum Transmission Unit (MTU) a connection appears to be using. By analysing those inferred MTU values, we can build "fingerprints" that point to the underlying network technology carrying the connection.
This article looks at how common technologies affect MTU values and shows how a SQL query can turn that data into useful network labels.
What is MTU and Why Does it Change?
The Maximum Transmission Unit (MTU) is the largest data packet, or frame, that a network-connected device can transmit. On standard Ethernet networks, this value is typically 1500 bytes. Larger payloads have to be split into chunks that fit that limit.
Encapsulation and Tunneling
The value starts to shift when tunnelling protocols are involved, including those used by VPNs and mobile networks. These protocols wrap the original data packet inside another packet, a process called encapsulation. The outer packet has its own headers for routing and management.
This encapsulation "steals" space from the original 1500 bytes available on the physical network. If a tunnelling protocol adds 60 bytes of headers, for example, the maximum size for the original data packet is now 1440 bytes (1500 - 60).
The Problem with Fragmentation
What happens if a device tries to send a 1500-byte packet through this 1440-byte tunnel? The packet has to be broken into smaller pieces, a process called fragmentation. It works, but it is inefficient. Fragmentation consumes CPU resources on the router performing it, adds header overhead to each fragment, and requires the receiving device to reassemble the pieces. The result is lower speed and higher latency.
To avoid that penalty, operating systems and network devices reduce the MTU of the connection to account for the tunnel's overhead. The amount of the reduction follows from the tunnelling protocol in use. That predictable drop is the basis for MTU fingerprinting.
A Guide to Common MTU Values
Different technologies add different overheads, which produces distinct MTU values.
WireGuard
WireGuard is a modern VPN known for its efficiency, but it still adds overhead.
- IPv4 Overhead: 60 bytes (20-byte IPv4 header + 8-byte UDP header + 32-byte WireGuard header).
- IPv6 Overhead: 80 bytes (40-byte IPv6 header + 8-byte UDP header + 32-byte WireGuard header).
On a standard 1500-byte network, that produces predictable MTU values:
1500 - 60 = 1440 bytes(WireGuard over IPv4)1500 - 80 = 1420 bytes(WireGuard over IPv6)
There is a special case with ISPs that use DS-Lite (Dual-Stack Lite) to carry IPv4 traffic over an IPv6 network. This adds another 40-byte IPv6 header, reducing the MTU further.
1420 - 40 = 1380 bytes(WireGuard over DS-Lite)
OpenVPN
OpenVPN is another common VPN solution, but its fingerprint is less tidy. Instead of setting a static interface MTU, OpenVPN often uses a feature called mssfix. This dynamically adjusts the Maximum Segment Size (MSS) value within the TCP headers of encapsulated packets to prevent fragmentation.
The MSS is the MTU minus the IP and TCP header sizes (typically 40 bytes for IPv4). The exact MSS value, and therefore the effective MTU, depends on OpenVPN's configuration, including the transport protocol (UDP or TCP), cipher, MAC algorithm, and compression. As noted by security researcher ValdikSS, these unique MSS values can be used to fingerprint a connection with high precision. For example, a common configuration might result in an MSS of 1369, which corresponds to an effective MTU of 1409 (1369 + 40).
For general analysis, connections with an MTU around 1400 or 1380 bytes often indicate OpenVPN or other VPN usage, especially when seen with other factors.
Mobile Networks (LTE & 5G)
Mobile networks also modify MTU values. When your phone connects to the internet, its data is tunnelled through the carrier's network using the GPRS Tunnelling Protocol (GTP). This encapsulation adds its own layer of headers.
As detailed by Nick vs Networking, the typical overhead for GTP traffic over an Ethernet transport network is 50 bytes:
- 14 bytes for the Ethernet header
- 20 bytes for the outer IPv4 header
- 8 bytes for the UDP header
- 8 bytes for the GTP header
For a mobile carrier using a standard 1500-byte MTU on its transport network, the maximum MTU available to the user's device is 1450 bytes (1500 - 50).
Mobile devices don't guess this value; they are explicitly told what MTU to use by the network during the connection setup process (via Protocol Configuration Options). Mobile operators have two choices to avoid fragmentation:
- Increase Transport MTU: Enable jumbo frames (for example, 1600 bytes or more) on their internal network to accommodate the 50-byte overhead and still provide a full 1500-byte MTU to the user.
- Lower Advertised MTU: Advertise a lower MTU to the user's device. This is why values such as 1450 are common. Some operators may configure a more conservative MTU, such as 1300 bytes, to maintain stability across all parts of their network.
Other Common Values
- Standard Ethernet: The baseline is 1500 bytes.
- PPPoE: Common for DSL connections, adds 8 bytes of overhead, resulting in an MTU of 1492 bytes.
- IPv6 Minimum: The IPv6 specification mandates a minimum MTU of 1280 bytes, so this value is also a significant marker.
Analysis with SQL
With this context, we can analyse network logs to classify user connections. The following SQL query buckets and attributes MTU values from a large dataset, turning raw numbers into meaningful labels.
The query works in several stages:
- Extract Data: It parses the MTU from a fingerprint string in the logs.
- Bucket MTUs: It uses a
CASEstatement to group MTUs. Specific known values, such as 1500, 1440, 1420, and 1380, go into their own buckets. Jumbo frames (>1500) are grouped into 100-byte buckets, and everything else is grouped into 20-byte buckets. - Attribute Buckets: In the final
SELECT, anotherCASEstatement translates those numeric buckets into human-readable descriptions based on the fingerprints we've identified.
The Query
-- Bucketing logic and attribution informed by research from:
-- https://ripx80.de/posts/06-wg-mtu/ (WireGuard)
-- https://medium.com/@ValdikSS/detecting-vpn-and-its-configuration-and-proxy-users-on-the-server-side-1bcc59742413 (OpenVPN)
-- https://nickvsnetworking.com/mtu-in-lte-5g-transmission-networks-part-1/ (Mobile Networks)
WITH base_data AS (
SELECT
toInt32OrNull(splitByChar(':', splitByChar(',', synner_fingerprint)[1])[4]) AS mtu,
toInt32OrNull(splitByChar(':', splitByChar(',', synner_fingerprint)[1])[5]) AS wsize,
toInt32OrNull(splitByChar(':', splitByChar(',', synner_fingerprint)[2])[1]) AS scale,
(tls.handshake_rtt_us - tcp.min_rtt_us) >= 65000 AS is_high_latency
FROM logs.client_logs
WHERE time >= '2025-07-01' AND shielded = 0
),
main_aggs AS (
SELECT
CASE
WHEN mtu = 1500 THEN 1500
WHEN mtu = 1440 THEN 1440
WHEN mtu = 1420 THEN 1420
WHEN mtu = 1380 THEN 1380
WHEN mtu > 1500 THEN 1501 + intDiv(mtu - 1501, 100) * 100
ELSE intDiv(mtu, 20) * 20
END AS mtu_bucket,
countIf(is_high_latency) AS high_latency_count,
countIf(not is_high_latency) AS normal_latency_count,
round(avg(wsize * pow(2, scale))) AS avg_real_wsize
FROM base_data
WHERE mtu IS NOT NULL AND wsize IS NOT NULL AND scale IS NOT NULL
GROUP BY mtu_bucket
),
top_wsizes AS (
SELECT
mtu_bucket,
groupArray((wsize, cnt)) AS top_wsizes
FROM
(
SELECT
CASE
WHEN mtu = 1500 THEN 1500
WHEN mtu = 1440 THEN 1440
WHEN mtu = 1420 THEN 1420
WHEN mtu = 1380 THEN 1380
WHEN mtu > 1500 THEN 1501 + intDiv(mtu - 1501, 100) * 100
ELSE intDiv(mtu, 20) * 20
END AS mtu_bucket,
wsize,
count() AS cnt,
row_number() OVER (PARTITION BY mtu_bucket ORDER BY cnt DESC) AS rn
FROM base_data
WHERE mtu IS NOT NULL AND wsize IS NOT NULL AND scale IS NOT NULL
GROUP BY mtu_bucket, wsize
)
WHERE rn <= 5
GROUP BY mtu_bucket
),
top_scales AS (
SELECT
mtu_bucket,
groupArray((scale, cnt)) AS top_scales
FROM
(
SELECT
CASE
WHEN mtu = 1500 THEN 1500
WHEN mtu = 1440 THEN 1440
WHEN mtu = 1420 THEN 1420
WHEN mtu = 1380 THEN 1380
WHEN mtu > 1500 THEN 1501 + intDiv(mtu - 1501, 100) * 100
ELSE intDiv(mtu, 20) * 20
END AS mtu_bucket,
scale,
count() AS cnt,
row_number() OVER (PARTITION BY mtu_bucket ORDER BY cnt DESC) AS rn
FROM base_data
WHERE mtu IS NOT NULL AND wsize IS NOT NULL AND scale IS NOT NULL
GROUP BY mtu_bucket, scale
)
WHERE rn <= 5
GROUP BY mtu_bucket
)
SELECT
CASE
WHEN mtu_bucket IN (1500, 1440, 1420, 1380) THEN toString(mtu_bucket)
WHEN mtu_bucket > 1500 THEN concat(toString(mtu_bucket), '-', toString(mtu_bucket + 99))
ELSE concat(toString(mtu_bucket), '-', toString(mtu_bucket + 19))
END AS mtu_range,
CASE
WHEN mtu_bucket = 1500 THEN 'Standard Ethernet'
WHEN mtu_bucket = 1480 THEN 'Likely PPPoE (e.g., 1492)'
WHEN mtu_bucket = 1460 THEN 'Likely DS-Lite/GRE Tunnel'
WHEN mtu_bucket = 1440 THEN 'Likely Mobile LTE/5G (e.g., 1450) / WireGuard over IPv4'
WHEN mtu_bucket = 1420 THEN 'WireGuard over IPv6'
WHEN mtu_bucket = 1400 THEN 'Likely OpenVPN / Mobile'
WHEN mtu_bucket = 1380 THEN 'Likely OpenVPN / WireGuard over DS-Lite / Mobile'
WHEN mtu_bucket = 1300 THEN 'Likely Mobile LTE/5G configured'
WHEN mtu_bucket = 1280 THEN 'IPv6 Minimum'
WHEN mtu_bucket > 1500 THEN 'Jumbo Frame'
ELSE 'Other'
END AS mtu_attribution,
high_latency_count,
normal_latency_count,
round(high_latency_count / (high_latency_count + normal_latency_count), 2) AS high_latency_ratio,
top_wsizes,
top_scales,
avg_real_wsize
FROM main_aggs
LEFT JOIN top_wsizes USING (mtu_bucket)
LEFT JOIN top_scales USING (mtu_bucket)
WHERE (high_latency_count + normal_latency_count) > 10000
ORDER BY mtu_bucket
LIMIT 50 FORMAT Vertical
Why Jumbo Frames Matter
Jumbo frames (MTU values greater than 1500 bytes) are a useful edge case in MTU fingerprinting. These frames, typically ranging from 9000-9216 bytes, are primarily used in high-performance computing environments, data centres, and enterprise networks where throughput optimisation is important.
When we detect jumbo frame MTUs in our analysis, they often indicate:
- Enterprise Users: Corporate networks frequently enable jumbo frames for internal communications
- Data Centre Traffic: Cloud services and CDNs often use jumbo frames between their infrastructure
- High-Performance Applications: Video streaming, large file transfers, and backup operations can benefit from larger frame sizes
- Network Misconfiguration: Jumbo frames sometimes appear because of network equipment misconfiguration
The presence of jumbo frames can help distinguish consumer and enterprise traffic, adding useful context for traffic classification and security analysis.
Practical Use Cases and Applications
MTU fingerprinting is useful across several security and operational domains:
Security Applications
VPN Detection for Compliance: Organisations can identify employees bypassing corporate network policies with personal VPNs, supporting compliance with data governance requirements.
Bot Traffic Classification: Automated traffic from residential proxy networks often shows consistent MTU patterns that differ from genuine residential users, improving bot detection.
Threat Intelligence Enhancement: Correlating MTU patterns with other indicators helps build broader threat profiles and improves attack attribution.
Network Operations
Performance Optimisation: Understanding the MTU distribution of your user base helps optimise content delivery and reduce fragmentation-related performance issues.
Infrastructure Planning: MTU analysis reveals the underlying network technologies your users employ, informing CDN placement and capacity planning decisions.
Quality of Service: Different MTU patterns correlate with connection quality, enabling proactive support for users on constrained networks.
Business Intelligence
Market Analysis: Geographic and demographic patterns in MTU distribution reveal technology adoption trends and market characteristics.
User Experience Optimisation: Identifying users on mobile or constrained networks enables adaptive content delivery and interface optimisation.
Dynamic Analysis vs Static IP Databases
MTU fingerprinting is a dynamic signal, which makes it useful alongside static IP reputation databases. It has several practical advantages:
Real-Time Adaptation
Static IP databases go stale. A residential IP address might be flagged as malicious based on historical activity, but MTU fingerprinting analyses the current network configuration. This dynamic approach captures the infrastructure being used at the moment of connection, providing more accurate and timely intelligence.
Circumvention Resistance
Attackers can rotate IP addresses or use clean residential proxies to bypass static blacklists. It is harder to manipulate the network characteristics that influence MTU values, because MTU is determined by the underlying network infrastructure.
Granular Classification
Where IP databases provide binary classifications (malicious/benign), MTU fingerprinting offers more detail on the specific technologies and configurations in use. This granularity enables more sophisticated risk assessment and response strategies.
Reduced False Positives
Static databases often flag legitimate users sharing IP addresses with malicious actors, which is common with residential ISPs and mobile carriers. MTU fingerprinting focuses on network behaviour rather than IP reputation, reducing false positive rates while maintaining security effectiveness.
Infrastructure Transparency
MTU analysis reveals the network path and technologies involved in a connection, providing transparency that static IP databases cannot match. This visibility enables more informed security decisions and a better understanding of threat actor capabilities.
Conclusion
MTU fingerprinting turns network metadata into useful context about the infrastructure behind a connection. Unlike static databases that rely on historical reputation, this dynamic analysis technique provides real-time insight into network technologies, user behaviours, and potential security threats.
By understanding MTU patterns, security teams can identify VPN usage, classify mobile traffic, detect residential proxy abuse, and optimise network performance. Its resistance to circumvention and low false-positive rates make it a useful addition to modern security architectures.
As network technologies continue to evolve, MTU fingerprinting provides a stable way to understand and classify traffic based on fundamental network characteristics rather than short-lived indicators. That makes it a practical signal for network security and operations.
