Solved

What is a TCP Window Update?

Posted on 2008-09-29
8
13,545 Views
Last Modified: 2013-11-13
I'm writing a web service client and I'm getting a lot of TCP Window Update packets in my Wireshark capture.  What are they and are they bad?

Thanks!
0
Comment
Question by:pbenito
8 Comments
 
LVL 12

Expert Comment

by:bhnmi
ID: 22599341
Can you post the packet? Most likely its just chatter  to the MS update server, but I am not sure.
0
 

Author Comment

by:pbenito
ID: 22599516
Frame 3881 (60 bytes on wire, 60 bytes captured)
Transmission Control Protocol, Src Port: http (80), Dst Port: tapestry (1922), Seq: 1, Ack: 2778606, Len: 0
    Source port: http (80)
    Destination port: tapestry (1922)
    Sequence number: 1    (relative sequence number)
    Acknowledgement number: 2778606    (relative ack number)
    Header length: 20 bytes
    Flags: 0x10 (ACK)
    Window size: 65535
    Checksum: 0x91ac [correct]
    [SEQ/ACK analysis]
        [TCP Analysis Flags]
            [This is a tcp window update]
0
 
LVL 12

Expert Comment

by:bhnmi
ID: 22599530
I believe that is web traffic.
0
 

Author Comment

by:pbenito
ID: 22599540
What does it mean?
0
PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

 
LVL 12

Accepted Solution

by:
bhnmi earned 500 total points
ID: 22599561
Frame 3881 (60 bytes on wire, 60 bytes captured)
Transmission Control Protocol, Src Port: http (80), Dst Port: tapestry (1922), Seq: 1, Ack: 2778606, Len: 0
    Source port: http (80)
    Destination port: tapestry (1922)
    Sequence number: 1    (relative sequence number)
    Acknowledgement number: 2778606    (relative ack number)
    Header length: 20 bytes
    Flags: 0x10 (ACK)
    Window size: 65535
    Checksum: 0x91ac [correct]
    [SEQ/ACK analysis]
        [TCP Analysis Flags]
            [This is a tcp window update]


The destination port says tapestry.

http://tapestry.apache.org/
0
 

Expert Comment

by:tcrick
ID: 22890155
Do you see TCP ZeroWindow and/or TCP Zero_WindowProbe?
It means one side of the communications receive buffer was full and could not receive anymore data.  It thens sends a zero window, the other side then sends a zero window probe to see if the window is still in the zero window state.  Then zero window updates are sent to renegotiate the window size.
0
 

Author Comment

by:pbenito
ID: 22891628
Thanks!  
0
 

Expert Comment

by:JasonMewes
ID: 23203492
The tcp window specifies how much data can be in transit.

One way of looking at it is a method to let the "sender" know how much buffer space is available at the "receivers" end so that the sender does not send more data than the receiver can handle.

Window updates are usually performed as part of "normal" packet that contains data. Every time a tcp packet goes back from the receiving end it includes it's current window size/buffer space available so essentially every tcp packet is also a window update (although it is not marked as such).

However, on a (mostly) unidirectional connection (ie, data only flows in one direction) the receiver has no "normal" outgoing packets. It will still have to let the sender know of it's window size, because otherwise the sender will eventually think that the receivers buffers are full.

These updates are called window updates and are essentially a tcp packet that has no data and is sent with no other purpose than to let the sender know that the space available in the receivers buffer has increased.

Depending on your implementation they may anything from completely legit to a slight waste of bandwidth. Likely the former.
1

Featured Post

Control application downtime with dependency maps

Visualize the interdependencies between application components better with Applications Manager's automated application discovery and dependency mapping feature. Resolve performance issues faster by quickly isolating problematic components.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Article by: rfc1180
The Maximum Segment size (MSS) is an important consideration when troubleshooting connectivity via the Internet/Intranet. As the packets are routed via the Internet/Intranet, the packets must traverse through multiple routers in the path between two…
The article explains the protocols and technology which is involved when two computers on different TCP/IP networks communicate with each other. In the diagram, a router is used to segregate two networks. The networks are 192.168.1.0/24 and 192…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

911 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

20 Experts available now in Live!

Get 1:1 Help Now