Ask Your Question

zero window

asked 2019-12-04 22:02:34 +0000

quest4answer gravatar image

updated 2019-12-04 22:47:55 +0000

Hello: i see zero window from receiver but then i still see flying packets from sender to receiver without window update from receiver to sender. The only difference is that those are diffrent stream. So is zero window based on specific stream another words if other stream is sending to receiver would still work?

also after tcp zero window that streams stops and nothing happens. basically after FIN.ACK zero window follows. also this is keep happening. is that normal thanks

edit retag flag offensive close merge delete


Which side of the connection is sending the FIN/ACK?

Chuckc gravatar imageChuckc ( 2019-12-04 23:20:23 +0000 )edit

sorry but i was not trying to find out the definition or explanation how to manage the window but trying to understand the behavior on my capture. so I am not sure i was clear on my question but here is the capture. as you can see any of the zero window stream has distinct behavior there is a FIN, ACK happens then there is a re transmission and then there is a zero window happens. there is no window update after that stream stops right there. This is keep happening on the cluster of windows 2016 servers which are running exchange.

I have two questions:

Is the zero window stream specific another words if zero window happens on one stream is it possible that another stream still pushing data from same source and destination

Also in attached capture FIN, ACK followed by Retransmission and then zero window . is this ...(more)

quest4answer gravatar imagequest4answer ( 2019-12-05 14:52:37 +0000 )edit

2 Answers

Sort by ยป oldest newest most voted

answered 2019-12-05 17:20:07 +0000

Chuckc gravatar image

The Zero Window is coming after each side has done their FIN/ACK so not an issue.
Data continues to flow on the other open connections/streams.

TCP Streams: 3, 23, 43, 44, 71, 76, 81, 90, 104, 110, 159
23, 110: sent from
All others sent from

The Zero Window only occurs for ports 475 or 2525.
There are 98 streams closed (FIN/ACK) for those ports and 11 of those with Zero Window warning.

(tcp.port==475 or tcp.port==2525) and tcp.flags.fin==1

So about 10% of the time you get a Zero Window but it's after the stream/connection is closed.

edit flag offensive delete link more


Can you do a capture at both ends to see if the packet being retransmitted was dropped or just ignored?
The connections seem to normally take about 125ms so waiting the extra 300ms for the retransmission is tying up the ports.

Chuckc gravatar imageChuckc ( 2019-12-05 17:46:57 +0000 )edit

okay thanks i will check

quest4answer gravatar imagequest4answer ( 2019-12-12 18:29:53 +0000 )edit

answered 2019-12-04 23:19:31 +0000

Chuckc gravatar image

The RFC refers to streams as Connections. There is a window per Connection.


    The reliability and flow control mechanisms described above require
    that TCPs initialize and maintain certain status information for
    each data stream.  The combination of this information, including
    sockets, sequence numbers, and window sizes, is called a connection.
    Each connection is uniquely specified by a pair of sockets
    identifying its two sides.

  Managing the Window

  The window sent in each segment indicates the range of sequence
  numbers the sender of the window (the data receiver) is currently
  prepared to accept.  There is an assumption that this is related to
  the currently available data buffer space available for this
edit flag offensive delete link more

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Question Tools

1 follower


Asked: 2019-12-04 22:02:34 +0000

Seen: 2,074 times

Last updated: Dec 05 '19