Huge thanks to our Platinum Members Endace and LiveAction,
and our Silver Member Veeam, for supporting the Wireshark Foundation and project.

Wireshark-dev: [Wireshark-dev] packet-tcp.c (expert severity level of zero window)

From: Ulf Lamping <ulf.lamping@xxxxxx>
Date: Sat, 05 Apr 2008 14:16:39 -0700
sake@xxxxxxxxxxxxx schrieb:
http://anonsvn.wireshark.org/viewvc/viewvc.cgi?view=rev&revision=24797

User: sake
Date: 2008/04/05 08:18 PM

Log:
 Raise the expert priority of all "zero window" related events from
note to error, as a window size of 0 indicates serious problems in the tcp session.
Hi Sake!

I'm sorry, but I must disagree with your point of view here. First of all, my experience is that putting the severity level too high is just not a good idea. My idea for the current error level should be used only for really serious problems like: malformed packets, internal dissector bugs and alike.

A zero window is a "normal behaviour" of a TCP network, if the receiving side is slower in processing the incoming data than the sending side is doing it's job. Wether this indicates a problem in your network or not depends on what you're doing. In the embedded world where I (was) work(ing), this is a pretty common behaviour and nothing really special (the initial window size is already pretty low, often only 1500 bytes or so, mainly because of limited memory reasons), therefore I've chosen the note severity for the zero window stuff.


I can understand that this situation differs on the way the network is used, but error for all that seems to be way too high for me. So what about:

a) use warn for "window is full" and "zero window" messages
b) use note for the zero window probing, as it's actual normal behaviour trying to recover from the zero window


I've done similiar for the TCP sequence: "previous segment lost" is a warn, the usual "Duplicate ACK" and "Retransmission" appearing afterwards to recover from it only uses note. This way you'll usually see the actual problem cause pretty well and the recovery from the problem (usually a lot more packets) is with lower severity.

Having less messages at higher severity levels is a lot easier to work with the expert infos, compared to dumped with all kinds of stuff.

As I wouldn't call myself a real TCP expert, what do others think?

Regards, ULFL