Wireshark-dev: Re: [Wireshark-dev] packet-tcp.c (expert severity level of zero window)
From: Michael Tüxen <[email protected]>
Date: Sun, 6 Apr 2008 18:37:35 +0200
Hi Sake,

I agree with Ulf here. Announcing a zero window is a valid
behaviour of a receiver. It just means that flow control
has kicked in.

For me an error is something that has to be changed. For
the this is not true in this situation.

However, I think it is important to use these levels
in a consistent way between different dissectors, so
I would like to know what others think how an error
should be defined. I'm planning to add expert info to
the SCTP dissector.

Best regards

On Apr 5, 2008, at 11:16 PM, Ulf Lamping wrote:
[email protected] schrieb:
http://anonsvn.wireshark.org/viewvc/viewvc.cgi? view=rev&revision=24797
User: sake
Date: 2008/04/05 08:18 PM

Raise the expert priority of all "zero window" related events from
note to error, as a window size of 0 indicates serious problems
in the tcp session.

Hi Sake!

I'm sorry, but I must disagree with your point of view here. First of
all, my experience is that putting the severity level too high is just
not a good idea. My idea for the current error level should be used only for really serious problems like: malformed packets, internal dissector
bugs and alike.

A zero window is a "normal behaviour" of a TCP network, if the receiving side is slower in processing the incoming data than the sending side is
doing it's job. Wether this indicates a problem in your network or not
depends on what you're doing. In the embedded world where I (was)
work(ing), this is a pretty common behaviour and nothing really special (the initial window size is already pretty low, often only 1500 bytes or so, mainly because of limited memory reasons), therefore I've chosen the
note severity for the zero window stuff.

I can understand that this situation differs on the way the network is
used, but error for all that seems to be way too high for me. So what about:
a) use warn for "window is full" and "zero window" messages
b) use note for the zero window probing, as it's actual normal behaviour
trying to recover from the zero window

I've done similiar for the TCP sequence: "previous segment lost" is a
warn, the usual "Duplicate ACK" and "Retransmission" appearing
afterwards to recover from it only uses note. This way you'll usually
see the actual problem cause pretty well and the recovery from the
problem (usually a lot more packets) is with lower severity.

Having less messages at higher severity levels is a lot easier to work
with the expert infos, compared to dumped with all kinds of stuff.

As I wouldn't call myself a real TCP expert, what do others think?

Regards, ULFL

Wireshark-dev mailing list
[email protected]