This is our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

I understand that "TCP Full Window" indicates that the sender is sending more data than receiver's advertised window size? But why would this happen? Shouldn't the sender just be able to send data <= receiver's window?

Or is it because wireshark see more data has been queued at the sender side? But how does wireshark know this? send buffer?

asked 09 Sep '13, 22:30

SteveZhou's gravatar image

SteveZhou
191273034
accept rate: 0%


Shouldn't the sender just be able to send data <= receiver's window?

Yes.

But why would this happen?

That message is just an informational message of Wireshark, that it has seen a full window (exactly the 'allowed' amount of data). There is no problem (from a analysts perspective), unless there is no [TCP ZeroWindow] or a [TCP Window Update] from the client, after Wireshark has seen the [TCP Window Full].

Regards
Kurt

permanent link

answered 10 Sep '13, 00:08

Kurt%20Knochner's gravatar image

Kurt Knochner ♦
24.8k1039237
accept rate: 15%

edited 10 Sep '13, 00:09

what does the "allowed amount of data" mean here? The amount of data queued in the TCP send buffer? As i know, TCP send buffer won't be allowed > advertised receiver window by its session peer.

(10 Sep '13, 00:16) SteveZhou
1

what does the "allowed amount of data" mean here?

An example:

  • The Receiver advertises a TCP Window of 5000 byte.
  • The Sender sends 5 packets with a TCP Len of 1000 each
  • There is no ACK between those 5 packets
  • Wireshark will mark the 5th packet with [TCP Window Full] as it has seen those advertized 5000 bytes, without an ACK

Up to now, everything is O.K. as the sender did not 'violate' any convention. Now, it would be up to the receiver to send either an ACK, a ZeroWindow or a Window Update. If neither happens and the sender continues to send data, then there would be a problem.

According to the code, Wireshark will only print that message if it has seen exactly the amount of bytes on the line (without ACK) that have been advertised be the receiver. If the sender sends more bytes (for whatever reason), e.g. 1200 in the last packet of the example above, the frame will not be marked with [TCP Window Full].

(10 Sep '13, 01:02) Kurt Knochner ♦

very clear explanation! I understood. thank you!

(10 Sep '13, 02:01) SteveZhou
Your answer
toggle preview

Follow this question

By Email:

Once you sign in you will be able to subscribe for any updates here

By RSS:

Answers

Answers and Comments

Markdown Basics

  • *italic* or _italic_
  • **bold** or __bold__
  • link:[text](http://url.com/ "title")
  • image?![alt text](/path/img.jpg "title")
  • numbered list: 1. Foo 2. Bar
  • to add a line break simply add two spaces to where you would like the new line to be.
  • basic HTML tags are also supported

Question tags:

×55
×7

question asked: 09 Sep '13, 22:30

question was seen: 84,949 times

last updated: 10 Sep '13, 02:01

p​o​w​e​r​e​d by O​S​Q​A