Wireshark

  • Riverbed Technology
  • WinPcap
the world's foremost network protocol analyzer
  • Wireshark
    • About
    • Download
    • Blog
  • Get Help
    • Ask a Question
    • FAQs
    • Documentation
    • Mailing Lists
    • Online Tools
    • Wiki
    • Bug Tracker
  • Develop
    • Get Involved
    • Developer's Guide
    • Browse the Code
    • Latest Builds

Wireshark-users: Re: [Wireshark-users] TCP Window Sizes

Date Index Thread Index Other Months All Mailing Lists
Date Prev Date Next Thread Prev Thread Next


From: Hansang Bae <hbae@xxxxxxxxxx>
Date: Wed, 10 Sep 2008 19:23:47 -0400

Aaron Allen wrote:

My attachments were a bit too large, I have put the attachments referenced below up at this site temporarily:
http://216.248.62.108/wireshark/

Sake,
Sorry, to be more clear:
Windows 2008 -> Amazon (this is where I'm seeing problems) Vista Workstation -> Amazon (I consistently get 8-10mbit)

I've attached local and SPAN packet captures from two uploads to S3.  The "largewindow" captures are from the Vista workstation and the "smallwindow" captures are from the windows 2008 server.

The NIC in the server is an Intel Pro 1000 MT and I have disabled "Large Send Offload" (which is intel slang for TCP segmentation offloading).  Of course, drivers are updated.

Hansang,
I see what you are talking about when I look at the TCP graphs.  Netstat -t is showing the connections in state "InHost" which would eliminate the possibility of offload problems (I assume?).

I'll admit, I'm confused.  I see larger window sizes in the packet captures from the Vista workstation, but not from the Windows 2008 server.  The packet captures from the local and SPAN session vary greatly from the Vista machine.  Since that NIC has "Large Send Offload" enabled, I'm guessing the workstation NIC is handling segmentation, and thus the differences.

Is it possible that this is an application limitation?  I really thought this should all be transparent to the app.

Thanks for all your help!
OK, I think I know what's going on. There is actually a lot going on in this trace. For example, you are seeing some congestion as the syn/syn+ack is 70ms, but some ACKs come back in 11ms.
But the key thing here is the 8192 byte sending buffer by the application. Clearly TCP is not at fault here. But then someone in my team noticed something. You are doing a PUT from IE correct? 

See:  http://support.microsoft.com/kb/329781
The PUT default sending buffer (not to be confused to TCP send buffer) defaults to 8192 bytes. 

Let us know if that fixes it.

--

Thanks,
Hansang
  • Follow-Ups:
    • Re: [Wireshark-users] TCP Window Sizes
      • From: Sake Blok
  • References:
    • Re: [Wireshark-users] TCP Window Sizes
      • From: Aaron Allen
  • Prev by Date: [Wireshark-users] VDX Decode
  • Next by Date: [Wireshark-users] Wireshark filters
  • Previous by thread: Re: [Wireshark-users] TCP Window Sizes
  • Next by thread: Re: [Wireshark-users] TCP Window Sizes
  • Index(es):
    • Date
    • Thread

Wireshark and the "fin" logo are registered trademarks of the Wireshark Foundation