4

I am debugging an application with Wireshark and watching the TCP Window Size value shrink on one side of the communication.

If the packet's TCP section shows a "Window size value: 1", does that mean the source's window size is 1 or the destination's window size is 1? I know one side is communicating faster than the other can handle, I just want be sure I know which one it is.

1 192.168.0.1 -> 192.168.0.100, Modbus/TCP, Length: 66, Window Size Value: 1

2 192.168.0.100 -> 192.168.0.1, TCP, Length: 60, Window Size Value: 92

3 192.168.0.100 -> 192.168.0.1 TCP, Length: 310, Window Size Value: 92

4 192.168.0.1 -> 192.168.0.100 TCP, Length: 54, Window Size Value: 0

So is 192.168.0.1's window size 0 or is it reporting that 192.168.0.100's window is 0? Thanks.

T Vernon
  • 43
  • 1
  • 1
  • 3

2 Answers2

5

The window size on packets from A to B indicate how much buffer space is available on A for receiving packets. So when B receives a packet with window size 1, it would tell B how many bytes it is allowed to send to A.

A few details worth knowing about window size are:

  • Window sizes can be scaled. The SYN packets at the start of the connection indicate scaling factor. A window size of only 1 byte is unlikely. A more likely explanation is that it is scaled by some factor, if for example the scaling factor is 2048, then the 1 indicates the window is 2048 bytes.
  • Window sizes are measured relative to the ACK number in that packet. So if the application isn't reading from the receive buffer, then a sequence of ACK packets will have increasing ACK numbers and decreasing window sizes such that the sum of ACK number + window size * scaling factor remains (roughly) constant.
kasperd
  • 30,455
  • 17
  • 76
  • 124
2

The windows size field in the TCP header signifies the number of bytes the sender (in this case 192.168.0.1) is willing to receive.

imlepid
  • 175
  • 1
  • 3
  • 10