hello I have a question about Tcp receive window size. I have this example from Wireshark:
client A :syn, win=8192, ws=4 ====> <===== server B: syn, ack win 5840, ws=128
client A : ack win=65700
1-How did we obtain 65700 (increase from 8192B to 65700B) in three way handshake? 2-how does the ws negotiotated in this example?
asked 14 Mar '16, 14:02
edited 14 Mar '16, 14:46
The window size is not negotiated but announced as each party has its own one - it is a receiving window so there is no reason why it should be negotiated as the sender can accommodate to any size announced. Why the client has increased the window size during initial handshake is an example of a question which Wireshark cannot answer. Packet capture and analysis can always tell you what has happened but only sometimes why it has happened.
E.g. we may assume that the TCP stack of the client uses some hardcoded window size value when sending the initial SYN packet and only uses the real value when it sends the first "useful" packet, but only analysis of the source code of the client's TCP stack and application can give the real answer.
What is negotiated is the support of window size scale factor. Until the client gets a confirmation from the server that the server supports window size scale factor as well (through presence of the ws option in the server's SYN, ACK packet), it does not know whether it may make use of it. So the window size value in the client's SYN packet is actually just a "safe side" one and the real value is only indicated when it becomes clear which way to specify it (with or without use of the ws factor).
Just to be clear: support of ws is negotiated, value of ws is not. Each side announces (and subsequently uses) its own ws value.
But this is still not an answer why the size indicated in the SYN packet was 8192 bytes and not, say, 65500 bytes, which would be closer to the "real" value announced later.
answered 14 Mar '16, 14:19
edited 14 Mar '16, 15:13
Besides all implemations about the window start algorithms, like slow start or so. The real question, from my point of view, in a scenario like this...:
...is: Why does Wireshark shows us in the Info column of the Frames (1) and (2) not the calculated Window Size, like we can see it in Frame (3)?
answered 16 Mar '16, 14:09
edited 16 Mar '16, 14:17