This is our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

We found the network delay about 20 seconds.

The result is like the below.

alt text

A packet(1510 Byte) was sent by 5 fragments(Number 47215, 49041, 50848, 52765, 52785) The delay for each segment was 5 seconds.

For this test, i didn't set 'tcp window size' and 'nagle option' on Window Server 2008 R2 64bit.

I have two questions. 1. TCP window size on screen shot as you see is under 256. Is this normal? 2. A long packet delay was found between segments. Is this normal?

Please give me your help for solving those problems.

asked 22 Dec '10, 18:28

dalma's gravatar image

dalma
1112
accept rate: 0%

I have resloved both of ip adresses(192.168.0.2, 192.168.0.4). Original address was different. However, both of them are in same network.

I have filtered Tcp keep-alive Packet and tcp keep-alive ack for the test above screen shot.

The below shows only port after filtering for the test.

alt text

I am curious why the packet was received after over 20 seconds, TCP window size is so small on window.

(22 Dec '10, 23:52) dalma

Dalma, 20 seconds is an eternity in network time. Consider that in one second, I can go across the world about three times. I can't see the post pics too well so it's hard for me to tell what's going on. But one thing to consider is that nothing in the network clocks at 5 second interval. So I have some questions. What apps is this, can you post a snippet of the trace (editcap it to just headers) so people can help you?

(23 Dec '10, 16:49) hansangb

To hansangb, May I have your mail address? Because, it is difficult to upload the capture file. Plz, Help me.

(10 Jan '11, 22:59) dalma

That's on the same subnet. There's some out of order stuff going on. So basically some frames are being destroyed between the source and destination. Is there a duplex mismatch somewhere? Is anything hard coded to full?

permanent link

answered 22 Dec '10, 18:55

Paul%20Stewart's gravatar image

Paul Stewart
3018
accept rate: 6%

Regarding the Window Size: I'd say it's normal, I see sizes like that a lot, and usually for Vista/2008 and up. These OSes use the TCP window scaling option (RFC 1323), which means that the specified window size is multiplied by a certain scale factor. Vista and 2008 often use a scale factor of 8, which means that the window size is multiplied by 2^8 (256). So for example if your window is 256 you need to calculate the scaled window, which is 256*256=65536.

Wireshark can calculate the scaled window size for you if you enabled it in the TCP settings ("relative sequence numbers and window scaling"). Since the scale factor is only agreed upon within the SYN-SYN/ACK packets of a connection you need to make sure you capture them, otherwise Wireshark doesn't know what the scale factor is and can only show the base value, which I guess is what happened in your trace.

permanent link

answered 23 Dec '10, 01:11

Jasper's gravatar image

Jasper ♦♦
23.8k551284
accept rate: 18%

Your answer
toggle preview

Follow this question

By Email:

Once you sign in you will be able to subscribe for any updates here

By RSS:

Answers

Answers and Comments

Markdown Basics

  • *italic* or _italic_
  • **bold** or __bold__
  • link:[text](http://url.com/ "title")
  • image?![alt text](/path/img.jpg "title")
  • numbered list: 1. Foo 2. Bar
  • to add a line break simply add two spaces to where you would like the new line to be.
  • basic HTML tags are also supported

Question tags:

×43

question asked: 22 Dec '10, 18:28

question was seen: 7,589 times

last updated: 27 Aug '15, 05:36

p​o​w​e​r​e​d by O​S​Q​A