Wireshark TCP Window Size Value

tcpwireshark

I am debugging an application with Wireshark and watching the TCP Window Size value shrink on one side of the communication.

If the packet's TCP section shows a "Window size value: 1", does that mean the source's window size is 1 or the destination's window size is 1? I know one side is communicating faster than the other can handle, I just want be sure I know which one it is.

1 192.168.0.1 -> 192.168.0.100, Modbus/TCP, Length: 66, Window Size Value: 1

2 192.168.0.100 -> 192.168.0.1, TCP, Length: 60, Window Size Value: 92

3 192.168.0.100 -> 192.168.0.1 TCP, Length: 310, Window Size Value: 92

4 192.168.0.1 -> 192.168.0.100 TCP, Length: 54, Window Size Value: 0

So is 192.168.0.1's window size 0 or is it reporting that 192.168.0.100's window is 0? Thanks.

Best Answer

The window size on packets from A to B indicate how much buffer space is available on A for receiving packets. So when B receives a packet with window size 1, it would tell B how many bytes it is allowed to send to A.

A few details worth knowing about window size are:

Window sizes can be scaled. The SYN packets at the start of the connection indicate scaling factor. A window size of only 1 byte is unlikely. A more likely explanation is that it is scaled by some factor, if for example the scaling factor is 2048, then the 1 indicates the window is 2048 bytes.
Window sizes are measured relative to the ACK number in that packet. So if the application isn't reading from the receive buffer, then a sequence of ACK packets will have increasing ACK numbers and decreasing window sizes such that the sum of ACK number + window size * scaling factor remains (roughly) constant.

Best Answer

Related Solutions

Linux – TCP Zero Window with no corresponding Window Update

Windows – TCP Window Size going to 0 / Wget stops downloading

Related Topic