Re: Difference between TCP Window size and data length

[Sake Blok <sake () euronet nl>]

On 27 jun 2011, at 17:01, Roman Etebar wrote:

> I am troubleshooting slow HTTP response in one our satellite linked remote sites.
>
> I noticed a lot of packets with TCP Window size of 420 byte; however, the the data length field is set to 1460 which 
> is maximum segment size.
>
> I do not see a Fragmentation happening on these packets.
>
> How can 1460 bytes of data be exchanged between the sender and receiver when the TCP Window size is only 420 bytes?

A window size X in a packet from A to B means that A is willing to accept X bytes from B. The data portion in that 
packet can be larger, as it should be less than the Window Size that was seen in the last packet received from B.

Then there is window scaling, if you did not capture the 3-way-handshake of the connection, wireshark might have missed 
the window scaling options (they are only present in the SYN packets). When window scaling is used, the window size 
value should be multiplied by the factor advertised in the SYN packet (both directions can have a different value). 
Wireshark will show you a calculated Window size, but only when it has seen the SYN and SYN/ACK in which the WIndow 
Size Scaling options were present.

Hope this helps,
Cheers,

Sake
___________________________________________________________________________
Sent via:    Wireshark-users mailing list <wireshark-users () wireshark org>
Archives:    http://www.wireshark.org/lists/wireshark-users
Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
             mailto:wireshark-users-request () wireshark org?subject=unsubscribe