This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Under what conditions Wireshark marks a packet as TCP Window Update packet

0

I understand the TCP window mechanism and that all ACK packets contain advertized Window size which keeps fluctuating. If so, why Wireshark marks certain packets as Window update packet and why is it important to observe? Changing Window sizes is not normal?

asked 21 Nov '13, 22:31

xkgt's gravatar image

xkgt
6336
accept rate: 0%

edited 22 Nov '13, 02:45

grahamb's gravatar image

grahamb ♦
19.8k330206

2 Answers:

2
  1. The sequence number doesn't change, which means that there is no new data being send
  2. The acknowledge number doesn't change which means that no new incoming data is acknowledged
  3. The Window size is different from the one in the previous packet of the same sender

Basically, all new information the TCP layer of such a packet contains is a different window size.

And yes, changing window sizes is normal. You often see it when it gets close to zero (or even down to zero) when a higher window size is advertised, which is used to tell the sender to keep going. But a lot of systems also advertise new window sizes even when they're not close to zero, just to let the sender know that they have more buffer space available for incoming packets.

answered 21 Nov '13, 22:46

Jasper's gravatar image

Jasper ♦♦
23.8k551284
accept rate: 18%

edited 21 Nov '13, 22:48

1

If so, why Wireshark marks certain packets as Window update packet

see the explanation of @Jasper.

and why is it important to observe? Changing Window sizes is not normal?

A window size change is at least nothing abnormal and thus observing it is not necessary, unless the window size drops to zero or you have performance problems of any kind.

Regards
Kurt

answered 22 Nov '13, 02:04

Kurt%20Knochner's gravatar image

Kurt Knochner ♦
24.8k1039237
accept rate: 15%