In the first pcap (2016-03-17-other-Angler-EK-after-localtasteblog.com.pcap ) from page, for the TCP session that starts with packet 209, there is a long period of about 7 seconds (from packet 371 to packet 822), the client side has TCP window size of 0. My guess is that the client is trying to do gunzip while receiving the server response data, but even that doesn't explain the long period of NULL tcp window on client side. Wonder what are the possible causes for it. Thanks Jin asked 12 Apr '16, 20:40 pktUser1001 |
One Answer:
The client is busy doing something that doesn't give it time to empty the window buffer. What exactly can only be guessed. Usually it's an I/O intensive operation, but it may also be some sort of calculation or the client is using all it's memory (leading to paging -> I/O). I've seen zero window situations longer than a minute caused by client resource problems. answered 13 Apr '16, 00:34 Jasper ♦♦ |
I'll just emphasize that the client activity may be completely unrelated to the TCP session you are interested in.
This traffic is from a malware running a sandbox. Given this fact, I wonder if it's because the malware, in the middle of getting HTTP response data, started another HTTP request to "hxxp://161.averoncapital.info/?x=&i=i0bnwGUkE&v=i6orgt&s=vZ6sD0f&q=qxLNvg&l=wcqMSQi&a=sDi&b=TMnHdLxar&h=t" starting at packet 378. That would explain it didn't drain all the packets from the TCP session (causing the TCP window size of 0). Thanks.