This is our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

I have two captures from each firewall for two sites connected by VPN tunnel. From the sending side host (site1) capture, Wireshark is reporting many TCP Zero Window and Update flags coming from the receiving side (site 2). Looking at the receiving (site2) capture, there are no TCP Zero Window and Update flags reported but only TCP retransmissions and Dup Ack. Having two sided captures, I would expect to see same TCP Zero Window and Update for the receiving side but that’s not the case.I would like advice on what’s the best way to analyze to rule out if it could be firewall issue or the client themselves.

asked 03 Oct '13, 15:32

ws2006's gravatar image

ws2006
1121214
accept rate: 0%


It looks like you're expecting the captures to show the same packets taken at the same time in two different locations, so first thing to do is to verify if that assumption is correct or if the packets aren't from the same connections. To do that I'd filter on the SYN packets only (tcp.flags=0x02) and compare the TCP initial sequence numbers. If you can't find a match you have some sort of proxying going on, which means that matching the sessions will be very difficult since the TCP connections are completely different. In that case you need to find out why this happens, and what kind of devices are involved (maybe some normal Proxy, maybe WAN accelerators etc.).

If you can find the same SYN packets on both sides you just go and filter on the session, and not by TCP stream number, because it may be different. Use a conversation filter instead, meaning that you filter on IP and port of both client and server. After that, you need to start comparing the single packets of the conversations to see what is different.

permanent link

answered 03 Oct '13, 22:54

Jasper's gravatar image

Jasper ♦♦
23.8k551284
accept rate: 18%

Your answer
toggle preview

Follow this question

By Email:

Once you sign in you will be able to subscribe for any updates here

By RSS:

Answers

Answers and Comments

Markdown Basics

  • *italic* or _italic_
  • **bold** or __bold__
  • link:[text](http://url.com/ "title")
  • image?![alt text](/path/img.jpg "title")
  • numbered list: 1. Foo 2. Bar
  • to add a line break simply add two spaces to where you would like the new line to be.
  • basic HTML tags are also supported

Question tags:

×752
×19

question asked: 03 Oct '13, 15:32

question was seen: 2,936 times

last updated: 03 Oct '13, 22:54

p​o​w​e​r​e​d by O​S​Q​A