zero window

retag add tags

Hello: i see zero window from receiver but then i still see flying packets from sender to receiver without window update from receiver to sender. The only difference is that those are diffrent stream. So is zero window based on specific stream another words if other stream is sending to receiver would still work?

also after tcp zero window that streams stops and nothing happens. basically after FIN.ACK zero window follows. also this is keep happening. is that normal thanks

quest4answer

asked 2019-12-04 22:02:34 +0000, updated 2019-12-04 22:47:55 +0000

edit flag offensive 0 remove flag close merge delete

Comments

Which side of the connection is sending the FIN/ACK?

Chuckc (2019-12-04 23:20:23 +0000) edit

sorry but i was not trying to find out the definition or explanation how to manage the window but trying to understand the behavior on my capture. so I am not sure i was clear on my question but here is the capture. as you can see any of the zero window stream has distinct behavior there is a FIN, ACK happens then there is a re transmission and then there is a zero window happens. there is no window update after that stream stops right there. This is keep happening on the cluster of windows 2016 servers which are running exchange.

I have two questions:

Is the zero window stream specific another words if zero window happens on one stream is it possible that another stream still pushing data from same source and destination

Also in attached capture FIN, ACK followed by Retransmission and then zero window . is this ... (more)

quest4answer (2019-12-05 14:52:37 +0000) edit

add a comment see more comments

2 Answers

Sort by

oldest

newest

most voted

The Zero Window is coming after each side has done their FIN/ACK so not an issue.
Data continues to flow on the other open connections/streams.

TCP Streams: 3, 23, 43, 44, 71, 76, 81, 90, 104, 110, 159
23, 110: sent from 10.65.142.158
All others sent from 192.168.119.7

The Zero Window only occurs for ports 475 or 2525.
There are 98 streams closed (FIN/ACK) for those ports and 11 of those with Zero Window warning.

(tcp.port==475 or tcp.port==2525) and tcp.flags.fin==1

So about 10% of the time you get a Zero Window but it's after the stream/connection is closed.

Chuckc

answered 2019-12-05 17:20:07 +0000

edit flag offensive 0 remove flag delete link

Comments

Can you do a capture at both ends to see if the packet being retransmitted was dropped or just ignored?
The connections seem to normally take about 125ms so waiting the extra 300ms for the retransmission is tying up the ports.

Chuckc (2019-12-05 17:46:57 +0000) edit

okay thanks i will check

quest4answer (2019-12-12 18:29:53 +0000) edit

add a comment see more comments

The RFC refers to streams as Connections. There is a window per Connection.

https://tools.ietf.org/html/rfc793

  Connections:

    The reliability and flow control mechanisms described above require
    that TCPs initialize and maintain certain status information for
    each data stream.  The combination of this information, including
    sockets, sequence numbers, and window sizes, is called a connection.
    Each connection is uniquely specified by a pair of sockets
    identifying its two sides.

  Managing the Window

  The window sent in each segment indicates the range of sequence
  numbers the sender of the window (the data receiver) is currently
  prepared to accept.  There is an assumption that this is related to
  the currently available data buffer space available for this
  connection.

Chuckc

answered 2019-12-04 23:19:31 +0000

edit flag offensive 0 remove flag delete link

Comments

add a comment see more comments

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account. This space is reserved only for answers. If you would like to engage in a discussion, please instead post a comment under the question or an answer that you would like to discuss.

Add Answer

zero window edit

Comments

2 Answers

Comments

Comments