This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Bytes in Flight exceeds window size

0

Hi,

I am examining a trace from netscaler. On statistics -> IO Graphs , I am comparing bytes in flights and window size. Strangely , my bytes in flight is higher than window size. Only when I supply tcp stream as a display the problem seems to recover. When there is no input in display filter , bif exceeds the window size. Besides , when I enter vlan (nstrace.vlan ) it doesn't have an effect. Still bif is higher.

Note : I select Y-Field as tcp.analysis.bytes_in_flight and tcp.window_size ; then Y-axis as max(Y-Field).

Any idea would be appreciated.

asked 21 Dec '16, 23:36

Ozan_Cesur's gravatar image

Ozan_Cesur
6113
accept rate: 0%


One Answer:

1

Bytes in flight and window size is a session based values. So exactly you need more things in the filter for the two graphs;

  1. IP_address_Site_A and tcpstream_ID. In the YField max value: calculated_windowsize
  2. IP_address_Site_B and tcpstream_ID. in the YField max value: bytes_in_flight

answered 21 Dec '16, 23:48

Christian_R's gravatar image

Christian_R
1.8k2625
accept rate: 16%

edited 21 Dec '16, 23:51

I thought when I left the display filter empty , wireshark would search for all the sessions. So when it draws bytes_in_flight information for a specific session, it should have found the window size information for that specific session as well.

As I see it is not how wireshark draws graphs when I left display filter empty. I should look for how it behaves when no filters entered

Thanks for the response

(22 Dec '16, 00:00) Ozan_Cesur

First I have converted your answer into acomment, as it is more a comment.

If you leave the filter field empty. Wireshark looks at every packet and if it it contains a the field it draws the value (max, SUM...) But Wireshark does this without any kind of intelligence.

The intteligence is the display filter in this case, which need to be defined by the user.

But at least for the window size value there are some intelligent graphs available, as you have expected by the IO graph: Statistics -> TCP Stream Graphs -> Window Scaling

or

Statistics -> TCP Stream Graphs -> tcptrace

(22 Dec '16, 01:05) Christian_R