Ask Your Question
0

Syn ACK win=0

asked 2018-01-22 20:08:28 +0000

aink99 gravatar image

Is it abnormal to received a syn, ack of win=0 ?

I see it from time to time but somebody is worried because they send a tcp ack and tcp zero probe malformed after a syn ack win=0. See shared link below

https://drive.google.com/open?id=1Ihu...

edit retag flag offensive close merge delete

Comments

That should be when you get a tcp windowZeroWindow not a tcp of window size = 0 that not the same thing. Source is sending ZeroWindows probe even If the destination has not sent tcp WindowZero. That is the issue, further more the source packet is malformed or corrupted , not a good sign.

Check out the source network.

aink99 gravatar imageaink99 ( 2018-02-07 18:50:34 +0000 )edit

3 Answers

Sort by » oldest newest most voted
1

answered 2018-01-23 12:34:48 +0000

Jasper gravatar image

It's uncommon, but it happens. Normally, a system should advertise a window size of a couple of segments (n times MSS), but in some situations I saw devices return 0 in the SYN/ACK. Usually for printers which accept the connection but want to delay having to receive print data because they need to "wake up" first (e.g. spinning and heating up all the mechanical parts required to print).

So I wouldn't say it's something that is critical, but maybe that device sending the Win 0 should be on your "soon to be replaced" list (if possible - some hospitals have those old needle printers they still need to use).

edit flag offensive delete link more
0

answered 2018-02-09 21:48:22 +0000

aink99 gravatar image

updated 2018-02-09 21:48:44 +0000

That should be when you get a tcp windowZeroWindow not a tcp of window size = 0 that not the same thing. Source is sending ZeroWindows probe even If the destination has not sent tcp WindowZero. That is the issue, further more the source packet is malformed or corrupted , not a good sign.

Check out the source network.

edit flag offensive delete link more
0

answered 2018-01-24 23:40:08 +0000

Bill Woodrow gravatar image

A device sending Win 0 is indicating that its TCP receive buffer is full and it needs the other party to wait. Generally this isn't a big problem as the 2 parties can sort things out. BUT in your case those Probes that follow make it look like the one side is waiting for quite a while; I can't quite see the times but it looks like 5+ seconds. Is this impacting users in any way?

I agree with Jasper above that as long as this is something like a printer and the Win0 only happens when something like initial bootup and you don't see any related user impact, you can probably ignore these. If however this is happening regularly on a client workstation or worse a server, I would definitely look into the TCP receive buffer and resources.

BW

edit flag offensive delete link more

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Question Tools

3 followers

Stats

Asked: 2018-01-22 20:08:28 +0000

Seen: 248 times

Last updated: Feb 09