2

The documentation says that TCP Window Update is usually due to previous Zero Window.

I can't find a previous zero window. What else might it be?

Transmission Control Protocol, Src Port: 5431, Dst Port: 703, Seq: 1, Ack: 38529, Len: 0
    Source Port: 5431
    Destination Port: 703
    [Stream index: 0]
    [TCP Segment Len: 0]
    Sequence number: 1    (relative sequence number)
    Acknowledgment number: 38529    (relative ack number)
    0101 .... = Header Length: 20 bytes (5)
    Flags: 0x010 (ACK)
    Window size value: 256
    [Calculated window size: 256]
    [Window size scaling factor: -1 (unknown)]
    Checksum: 0x03c0 [unverified]
    [Checksum Status: Unverified]
    Urgent pointer: 0
    [SEQ/ACK analysis]
        [TCP Analysis Flags]
            [Expert Info (Chat/Sequence): TCP window update]
John Zwinck
  • 239,568
  • 38
  • 324
  • 436
ManInMoon
  • 6,795
  • 15
  • 70
  • 133

1 Answers1

1

Wireshark marks a packet as "TCP Window Update" if it is an ACK packet with no changes other than the window size. Some TCP stacks do send such packets, even when the window was nowhere near full (the condition which would cause a "zero window" packet).

Ref: https://osqa-ask.wireshark.org/questions/27253/under-what-conditions-wireshark-marks-a-packet-as-tcp-window-update-packet

John Zwinck
  • 239,568
  • 38
  • 324
  • 436