This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Relation between window full, Zero window and PUSH?

0

Hi all

First question here :-)

I have been struggling with a capture that I do not fully understand.

I see quite a few "window is full" and "zero window" in the expert info, and a lot of PSH flags set in the trace itself, and I am wondering if there is a connection between the observations. (see attached screen dump)

The trace is from a (time critical) banking dealer application called Calypso, and I am trying to identify why the application fails to update all fields every now and again.

Thanks in advance

Peter Sindrupalt text

asked 29 Nov '13, 04:38

psindrup's gravatar image

psindrup
11112
accept rate: 0%


One Answer:

1

The PSH flag is used to tell the sending TCP stack to send the packet immediately, and to process it on the receiving side without waiting for more data. Otherwise there can be delays by using the Nagle algorithm or delayed acknowledgements, and if the sending stack knows that there will be no more data to be sent together it might set the PSH flag ("don't wait for more bytes, just process it right away!"). This is also common in time critical applications to avoid latency caused by waiting for more data to bundle together.

Zero Window can be a bad thing, because it means that the receiver signals that it cannot receive more bytes before it has finished processing the completely filled up buffers first. It's sort of a "stop sending, I need time to work here" message, and that indicates a performance problem on the receivers side. It is not a network problem, it's a problem on the receiving node. Get more RAM, faster Disks, more CPU power, whatever helps.

"Window Full" is a diagnosis that Wireshark does when it sees that the sender has sent as many bytes as the receiver had announced as free in its buffers. It is basically stated when "Bytes in Flight" a.k.a. "bytes that have not yet been acknowledged" equal the last Window size the receiver advertised. A diagnosis like this can indicate performance problems on the horizon, while Zero Window means that the problem has finally happened.

answered 29 Nov '13, 04:47

Jasper's gravatar image

Jasper ♦♦
23.8k551284
accept rate: 18%