Wireshark-users: Re: [Wireshark-users] TCP Window Sizes

From: Sake Blok <sake@xxxxxxxxxx>
Date: Fri, 12 Sep 2008 06:34:05 +0200

On Wed, Sep 10, 2008 at 07:23:47PM -0400, Hansang Bae wrote:
> Aaron Allen wrote:
> > My attachments were a bit too large, I have put the attachments 
> > referenced below up at this site temporarily:
> > http://216.248.62.108/wireshark/

Great, thanks!

> > I'll admit, I'm confused.  I see larger window sizes in the 
> > packet captures from the Vista workstation, but not from the 
> > Windows 2008 server.  The packet captures from the local and 
> > SPAN session vary greatly from the Vista machine.  Since that 
> > NIC has "Large Send Offload" enabled, I'm guessing the 
> > workstation NIC is handling segmentation, and thus the differences.

That's exactly what happens.

> > Is it possible that this is an application limitation?  I 
> > really thought this should all be transparent to the app.

Well, I'm not an expert in how applications interact with the
tcp/ip stack. But it is clear that it is a local problem on
your Win2008 box.

> But the key thing here is the 8192 byte sending buffer by the 
> application.  Clearly TCP is not at fault here.  But then someone in my 
> team noticed something.  You are doing a PUT from IE correct?

I did not see the "User-Agent" header in the request, is this a custom
application doing the PUT? If so, could you try the same action
from a browser, to see if it makes a difference?

> See:  http://support.microsoft.com/kb/329781
> 
> The PUT default sending buffer (not to be confused to TCP send buffer) 
> defaults to 8192 bytes.

I agree with this, it all looks like the application is using a fixed 
8K send buffer, so it is not able to fully utilize the tcp window
that Amazon advertises. 

Cheers,
    Sake