Wireshark-users: Re: [Wireshark-users] Difference between TCP Window size and data length
Date Index · Thread Index · Other Months · All Mailing Lists
Date Prev · Date Next · Thread Prev · Thread Next
From: Sake Blok <sake@xxxxxxxxxx>
Date: Mon, 27 Jun 2011 19:17:14 +0200
On 27 jun 2011, at 17:01, Roman Etebar wrote:

> I am troubleshooting slow HTTP response in one our satellite linked remote sites.
> 
> I noticed a lot of packets with TCP Window size of 420 byte; however, the the data length field is set to 1460 which is maximum segment size.
> 
> I do not see a Fragmentation happening on these packets.
> 
> How can 1460 bytes of data be exchanged between the sender and receiver when the TCP Window size is only 420 bytes?

A window size X in a packet from A to B means that A is willing to accept X bytes from B. The data portion in that packet can be larger, as it should be less than the Window Size that was seen in the last packet received from B.

Then there is window scaling, if you did not capture the 3-way-handshake of the connection, wireshark might have missed the window scaling options (they are only present in the SYN packets). When window scaling is used, the window size value should be multiplied by the factor advertised in the SYN packet (both directions can have a different value). Wireshark will show you a calculated Window size, but only when it has seen the SYN and SYN/ACK in which the WIndow Size Scaling options were present.

Hope this helps,
Cheers,

Sake