I understand that "TCP Full Window" indicates that the sender is sending more data than receiver's advertised window size? But why would this happen? Shouldn't the sender just be able to send data <= receiver's window? Or is it because wireshark see more data has been queued at the sender side? But how does wireshark know this? send buffer? asked 09 Sep '13, 22:30  SteveZhou |
One Answer:
Yes.
That message is just an informational message of Wireshark, that it has seen a full window (exactly the 'allowed' amount of data). There is no problem (from a analysts perspective), unless there is no [TCP ZeroWindow] or a [TCP Window Update] from the client, after Wireshark has seen the [TCP Window Full]. Regards answered 10 Sep '13, 00:08  Kurt Knochner ♦ edited 10 Sep '13, 00:09 |
what does the "allowed amount of data" mean here? The amount of data queued in the TCP send buffer? As i know, TCP send buffer won't be allowed > advertised receiver window by its session peer.
An example:
Up to now, everything is O.K. as the sender did not 'violate' any convention. Now, it would be up to the receiver to send either an ACK, a ZeroWindow or a Window Update. If neither happens and the sender continues to send data, then there would be a problem.
According to the code, Wireshark will only print that message if it has seen exactly the amount of bytes on the line (without ACK) that have been advertised be the receiver. If the sender sends more bytes (for whatever reason), e.g. 1200 in the last packet of the example above, the frame will not be marked with [TCP Window Full].
very clear explanation! I understood. thank you!