[Wireshark-users] TCP Window Size

[Maria]

Hello,

While posting messages to a Network user group we were suggested to use 
wireshark for TCP protocol analysis. We currently have a private network. The 
network consists of one Dell laptop connected to a Netgear Ethernet 8 port 
switch and recording device connected to the Ethernet switch. The application 
on the Dell computer is the client (using Delphi 7 - tclientsocket) and the 
records are the servers. The recorders ship continuous data at 1 
megabits/second. We currently have 6 recorders attached. What we are seeing is 
that the recorders after 12-18 hours start to slow down in transmission speed.  
We think it is a TCP Window size overflow. Our client application maybe not be 
receiving the data fast enough and the window buffers are overflowing.

My question is how can we tell the TCP window size in wire shark? And how much 
of it is not received by the application.

Hope I'm emailing the right please. Please let me know if I'm in error and need 
to send the email else where.

Thanks for all your help.

Maria___
Wireshark-users mailing list
Wireshark-users@wireshark.org
http://www.wireshark.org/mailman/listinfo/wireshark-users

Re: [Wireshark-users] TCP Window Size

[Laura Chappell]

Hi Maria, 

 

Look in the TCP headers of the packets to see the Window Size field value.
In addition, you'll see that information in the Info column (Win=x). Also
consider selecting Analyze  Expert Composite Info  Notes - Wireshark has
Zero Window and Window Full alerts.  Over at www.wiresharkU.com we have a
trace file set (see the FIN BIT magazine page) that I used in a session at
TechEd last week - grab the trace file set and check out the
download-bad.pcap trace. Look at packets 363-378 to see a client that hits
the zero window problem and the resulting keep-alive packets until the
Window Update is received. It's a nice trace - it was a terrible download -
over a 32 second delay because of the client TCP buffer space being
overloaded. Ouch. 

 

Laura Chappell

Founder, Wireshark University

Sr. Protocol/Security Analyst, Protocol Analysis Institute

www.wiresharkU.com

 

 

From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Maria
Sent: Wednesday, June 13, 2007 8:20 AM
To: wireshark-users@wireshark.org
Subject: [Wireshark-users] TCP Window Size

 

Hello,

 

While posting messages to a Network user group we were suggested to use
wireshark for TCP protocol analysis. We currently have a private network.
The network consists of one Dell laptop connected to a Netgear Ethernet 8
port switch and recording device connected to the Ethernet switch. The
application on the Dell computer is the client (using Delphi 7 -
tclientsocket) and the records are the servers. The recorders ship
continuous data at 1 megabits/second. We currently have 6 recorders
attached. What we are seeing is that the recorders after 12-18 hours start
to slow down in transmission speed.  We think it is a TCP Window size
overflow. Our client application maybe not be receiving the data fast enough
and the window buffers are overflowing.

 

My question is how can we tell the TCP window size in wire shark? And how
much of it is not received by the application.

 

Hope I'm emailing the right please. Please let me know if I'm in error and
need to send the email else where.

 

Thanks for all your help.

 

Maria

___
Wireshark-users mailing list
Wireshark-users@wireshark.org
http://www.wireshark.org/mailman/listinfo/wireshark-users