Wireshark-users: Re: [Wireshark-users] TCP Window Size
From: "Laura Chappell" <lchappell@xxxxxxxxxxxxxxxx>
Date: Wed, 13 Jun 2007 13:05:25 -0700

Hi Maria,


Look in the TCP headers of the packets to see the Window Size field value. In addition, you’ll see that information in the Info column (Win=x). Also consider selecting Analyze > Expert Composite Info > Notes – Wireshark has Zero Window and Window Full alerts.  Over at www.wiresharkU.com we have a trace file set (see the FIN BIT magazine page) that I used in a session at TechEd last week – grab the trace file set and check out the download-bad.pcap trace. Look at packets 363-378 to see a client that hits the zero window problem and the resulting keep-alive packets until the Window Update is received. It’s a nice trace – it was a terrible download – over a 32 second delay because of the client TCP buffer space being overloaded. Ouch.


Laura Chappell

Founder, Wireshark University

Sr. Protocol/Security Analyst, Protocol Analysis Institute




From: wireshark-users-bounces@xxxxxxxxxxxxx [mailto:wireshark-users-bounces@xxxxxxxxxxxxx] On Behalf Of Maria
Sent: Wednesday, June 13, 2007 8:20 AM
To: wireshark-users@xxxxxxxxxxxxx
Subject: [Wireshark-users] TCP Window Size




While posting messages to a Network user group we were suggested to use wireshark for TCP protocol analysis. We currently have a private network. The network consists of one Dell laptop connected to a Netgear Ethernet 8 port switch and recording device connected to the Ethernet switch. The application on the Dell computer is the client (using Delphi 7 - tclientsocket) and the records are the servers. The recorders ship continuous data at 1 megabits/second. We currently have 6 recorders attached. What we are seeing is that the recorders after 12-18 hours start to slow down in transmission speed.  We think it is a TCP Window size overflow. Our client application maybe not be receiving the data fast enough and the window buffers are overflowing.


My question is how can we tell the TCP window size in wire shark? And how much of it is not received by the application.


Hope I'm emailing the right please. Please let me know if I'm in error and need to send the email else where.


Thanks for all your help.