This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

TCP window Size

0

Hello, I have made 2 wireshark captures: 1- A text file of size 10 MB 2- A PDF file of size 16MB

I repeated both these captures, once on a Cloud Virtual Machine and another on a LAN desktop. I am capturing the file Sync between the device and VM/desktop on a laptop that the mobile device is connected to.

What i don't understand is, how should i measure the window size for each environment using WireShark? I understand that since both of the environments are windows 7 and windows 2008 R2 which means the window size changes according to demand.

Before the file is sync-ed its split into segments and then compressed. Once that is done it is sent over TCP to the device. What i noticed is that for my desktop, the text file is being sent over seperate TCP packets of size 247, while the same file on my CLOUD VM is sent over a larger window with each packet of size 1514.

Why am i noticing different behavior for each?

asked 03 Sep '13, 13:57

Mustafa%20El-Hilo's gravatar image

Mustafa El-Hilo
6224
accept rate: 0%

being sent over seperate TCP packets of size 247, while the same file on my CLOUD VM is sent over a larger window with each packet of size 1514.

That sounds like a MTU issue rather than a TCP window size problem.

Can you please post the capture files somewhere (google docs, dropbox, cloudshark)? Without the capture files it is impossible to give good advice.

(03 Sep '13, 23:45) Kurt Knochner ♦

Here is a link for 2. The file "10MBfileSuncDStoDevice" this is from Cloud to Device. The other is from Desktop to Device. https://drive.google.com/folderview?id=0B_M_fihdbr8VY1RESmwtZGpDVmM&usp=sharing

(04 Sep '13, 05:47) Mustafa El-Hilo

One Answer:

0

The small packet size on the LAN is caused by the PUSH (PSH) flag (~78% of the packets from the server). The PUSH flag is handled by the application (real time applications do that). If you add some information about the file sync application, we (and you) might be able to understand why/how the application is doing that (maybe a config option or default behavior).

Why am i noticing different behavior for each?

Because of the use of the PUSH flag on the LAN (78%) versus Internet (10%). The TCP Windows size does not matter here, at least not as a source of the small packets.

Regards
Kurt

answered 04 Sep '13, 06:37

Kurt%20Knochner's gravatar image

Kurt Knochner ♦
24.8k1039237
accept rate: 15%

edited 04 Sep '13, 06:42

my task is reverse engineer the file sync application. So i was wondering if you can see something i can't

(04 Sep '13, 06:52) Mustafa El-Hilo

my task is reverse engineer the file sync application. So i was wondering if you can see something

what are you interested in, besides the explanation of the small packtes (see my answer)?

So i was wondering if you can see something i can't

because the data is encrypted with SSL/TLS. There is no way to reverse engineer that, without access to the server keys.

(04 Sep '13, 06:59) Kurt Knochner ♦