OSQA is unmaintained. Help us figure out where to go from here.

Hello, I have made 2 wireshark captures: 1- A text file of size 10 MB 2- A PDF file of size 16MB

I repeated both these captures, once on a Cloud Virtual Machine and another on a LAN desktop. I am capturing the file Sync between the device and VM/desktop on a laptop that the mobile device is connected to.

What i don't understand is, how should i measure the window size for each environment using WireShark? I understand that since both of the environments are windows 7 and windows 2008 R2 which means the window size changes according to demand.

Before the file is sync-ed its split into segments and then compressed. Once that is done it is sent over TCP to the device. What i noticed is that for my desktop, the text file is being sent over seperate TCP packets of size 247, while the same file on my CLOUD VM is sent over a larger window with each packet of size 1514.

Why am i noticing different behavior for each?

asked 03 Sep '13, 13:57

Mustafa%20El-Hilo's gravatar image

Mustafa El-Hilo
6224
accept rate: 0%

being sent over seperate TCP packets of size 247, while the same file on my CLOUD VM is sent over a larger window with each packet of size 1514.

That sounds like a MTU issue rather than a TCP window size problem.

Can you please post the capture files somewhere (google docs, dropbox, cloudshark)? Without the capture files it is impossible to give good advice.

(03 Sep '13, 23:45) Kurt Knochner ♦

Here is a link for 2. The file "10MBfileSuncDStoDevice" this is from Cloud to Device. The other is from Desktop to Device. https://drive.google.com/folderview?id=0B_M_fihdbr8VY1RESmwtZGpDVmM&usp=sharing

(04 Sep '13, 05:47) Mustafa El-Hilo

The small packet size on the LAN is caused by the PUSH (PSH) flag (~78% of the packets from the server). The PUSH flag is handled by the application (real time applications do that). If you add some information about the file sync application, we (and you) might be able to understand why/how the application is doing that (maybe a config option or default behavior).

Why am i noticing different behavior for each?

Because of the use of the PUSH flag on the LAN (78%) versus Internet (10%). The TCP Windows size does not matter here, at least not as a source of the small packets.

Regards
Kurt

permanent link

answered 04 Sep '13, 06:37

Kurt%20Knochner's gravatar image

Kurt Knochner ♦
24.7k1037236
accept rate: 15%

edited 04 Sep '13, 06:42

my task is reverse engineer the file sync application. So i was wondering if you can see something i can't

(04 Sep '13, 06:52) Mustafa El-Hilo

my task is reverse engineer the file sync application. So i was wondering if you can see something

what are you interested in, besides the explanation of the small packtes (see my answer)?

So i was wondering if you can see something i can't

because the data is encrypted with SSL/TLS. There is no way to reverse engineer that, without access to the server keys.

(04 Sep '13, 06:59) Kurt Knochner ♦
Your answer
toggle preview

Follow this question

By Email:

Once you sign in you will be able to subscribe for any updates here

By RSS:

Answers

Answers and Comments

Markdown Basics

  • *italic* or _italic_
  • **bold** or __bold__
  • link:[text](http://url.com/ "title")
  • image?![alt text](/path/img.jpg "title")
  • numbered list: 1. Foo 2. Bar
  • to add a line break simply add two spaces to where you would like the new line to be.
  • basic HTML tags are also supported

Question tags:

×743
×54
×41
×25
×22

question asked: 03 Sep '13, 13:57

question was seen: 4,573 times

last updated: 04 Sep '13, 07:00

p​o​w​e​r​e​d by O​S​Q​A