First time here? Check out the FAQ!

Ask Your Question
0

Best way to calculate zero window recovery time

asked Sep 22 '0

Monitoring gravatar image

Hi,

I often see that one end will send multiple zero window packets before it sends a non zero window update. For example when calculating recovery time should I take the delta between the first outbound zero window and the first outbound non zero window update or the last outbound zero window and the first non zero window outbound? It seems that it should be the first to me but then at times the delay is quite high.

cheers

Preview: (hide)

Comments

Hi,

Good day. This is purely dependent on the receiver's application side. Zero Widnow recovery may vary during the transaction, so in my opinion it doesn't matter which receiver's generated packet you will use it for calculating the recovery delta.

Best Regards, Denzil D'Souza

ddsouza gravatar imageddsouza ( Sep 22 '0 )

It makes a substantial difference. Consider the below. 12:03:04.283775 10.7.10.153 10.7.10.76 TCP 54 [TCP ZeroWindow] 55007 → 3306 [ACK] Seq=2339562880 Ack=4205004478 Win=0 Len=0

12:03:04.505102 10.7.10.76  10.7.10.153 TCP 60  [TCP Keep-Alive] 3306  55007 [ACK] Seq=4205004477 Ack=2339562880 Win=330 Len=0

12:03:04.505114 10.7.10.153 10.7.10.76  TCP 54  [TCP ZeroWindow] 55007  3306 [ACK] Seq=2339562880 Ack=4205004478 Win=0 Len=0

12:03:04.952973 10.7.10.76  10.7.10.153 TCP 60  [TCP Keep-Alive] 3306  55007 [ACK] Seq=4205004477 Ack=2339562880 Win=330 Len=0

12:03:04.952986 10.7.10.153 10.7.10.76  TCP 54  [TCP ZeroWindow] 55007  3306 [ACK] Seq=2339562880 Ack=4205004478 Win=0 Len=0

12:03:05.555811 10.7.10 ...
(more)
Monitoring gravatar imageMonitoring ( Sep 22 '0 )

Another way to look at this is that there is no such thing as a TCP ZeroWindow packet. (ducks)
These packets happen to meet the Wireshark rules for setting the TCP Analysis flag for tcp.analysis.zero_window

/* ZERO WINDOW
 * a zero window packet has window == 0   but none of the SYN/FIN/RST set
 */


"will send multiple zero window packets"
Those aren't multiple "zero window packets". They are ACK packets for the TCP Keep-Alive messages and happen to have a Zero Window size so Wireshark TCP Analysis flags them.

Chuckc gravatar imageChuckc ( Sep 22 '0 )

1 Answer

Sort by » oldest newest most voted
0

answered Sep 22 '0

Jim Aragon gravatar image

The start of the Zero Window condition was when the receiver sent the first Zero Window packet. The other Zero Window packets are repeating that notification. So, you should take the time from the first Zero Window packet to the first packet with a non-zero window size.

If your Time column is still set to the default (Seconds Since Beginning of Capture), you can right-click on the first Zero Window packet and click "Set/Unset Time Reference." That makes that packet a new time-zero point. You can then just look at the time on the Window Update packet and see how much time has elapsed.

Preview: (hide)
link

Comments

Thanks Jim. That's what I figured. In general does the trace show Keep Alive packets or are they really receive window probe packets?

cheers

Monitoring gravatar imageMonitoring ( Sep 23 '0 )

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Question Tools

1 follower

Stats

Asked: Sep 22 '0

Seen: 367 times

Last updated: Sep 22 '20