Fix a TCP ZERO Window // TCP Deep Dive with Wireshark

Video Statistics and Information

Video

Captions Word Cloud

Reddit Comments

Captions

what's up packet people so i was just troubleshooting a problem i wanted to show you what i found i found a tcp zero window event the dreaded tcp window oh no so in this video i just wanted to show you in wireshark how we can find zero windows and even what to do about them so you can download the pcap in the description down below and let's get to it so here i have just a very simple tcp thread just a filtered tcp conversation and if i come down to a little bit lower i'm gonna notice there's black lines with red letters show up oh no tcp window full and zero window so in this video i'm gonna focus in on that zero window what causes it and how it can impact our throughput all right so first whenever i'm analyzing tcp zero window events i first want to know what the window is okay so i'm going to come down to my detail view on the lower left and i've selected packet 50 okay so i'm going to come down here to calculated window size zero that's why this is a zero window event now what does that mean okay so i'm just going to apply that as a column now as i'm looking at this notice so my zero window went down to as we can see zero so what this means is whoever is sending this packet the zero window is telling the opposite side stop stop sending i can't take any more data so what a receive window basically is is it's a tcp receive buffer it's a spot where data can come in to that buffer and then data flows out of that buffer to the application but if data starts to pool in that buffer well then it can start to fill and then eventually that buffer can become full and now that station has to tell the opposite side to stop sending we have too much data in that buffer we can't receive any more so a symptom that you'll often look for when you start to suspect you have zero window problems well first of all we have the uh we have the actual error flagged for us here in wireshark but if i come up above this and i've added calculated window size as a column what i want to see is up above i start to see that 65 535 this is now my client is 10-0-2-15 it's the one with the window problem but if i come down here notice that this window starts to drop so 62 61 i can see 50 56 58 55 53 so basically this window this is an advertisement of how many more bytes that receiver can handle in its buffer so initially the client's saying hey go ahead and send i can handle 62 780 bytes but as we go forward we start to see that it advertises less and less and less and less space in that buffer well we finally get down here we get down to packet 46 we're at 11 680 that's how much space is left over in that buffer well the opposite side sends one more packet and if i take a look this is actually a reassembled packet you can see the tcp segment length is 11 680 in fact i'm going to go ahead and add this as a column this is the segment length now keep in mind this isn't real of what actually happened on the wire this packet was actually probably chopped up and brought into much smaller segments once the data hit the wire but this packet ends up filling the receive window of the target but this packet this 11680 is coming from this server it's heading to this client and really this fills that window that's why we get that tcp window full alert in wireshark wireshark saying hey the receiver only had 11 680 to work with and you just sent 11680 that's going to fill the window well not long after that we get an ack from the client 41 milliseconds later the client says hey now i've only got 29.20. so that means that it took 2920 bytes that was cleared out of the receive buffer so now it's got room for 29.20 left well the server sends 29.20 so now again we've filled that window at this point the server can't send anything else it has to stop it has to wait until there's more space to catch this data in that receive window on the client well the client comes back with a true zero window stop sending i'm full i have a full receive buffer well we wait almost a full second look at packet 51 808 milliseconds and then we see a tcp window update so there's no new data here but the client is just saying hey just so you know i went ahead and cleared out my window now i have tcp receive buffer to work with you can go ahead and start sending more data now server server's like sweet let's do it okay here's a bunch of data and then we actually shut down the connection so this full second over here was just due to that zero window now what would we do about this well the first thing that i'm wondering is are we using window scaling if you notice that all of these window sizes are less than or 65 535 or less well if i go up to my handshake i'm just going to take a look at the packet from the client to the server and if i expand this out take a peek at the tcp options here i can see that i am doing window scaling i am able to multiply the receive window by a much larger value okay so this is a two byte value in the receive window keep in mind tcp was invented a long time ago but this two byte value only allows for 65 535 total as a receive window that means you can only have 65 535 in flight unacknowledged data but the window scale allows us to multiply that number to a much larger number up to a maximum of a gigabyte of receive window so the client says hey windows scale is this server comes back wait a second no window scale the server's not giving us a windows scale factor that means that as a client i can't use that window scale now i just have to use the true window size and that's just a two byte value that's really going to limit the amount of throughput that the sender can put out on the wire okay so that's the first place i would look why is a server not advertising a windows scale and then the second place that i would look is i would look on the client and i would take a look at its resources why does that receive buffer filling and we're not processing data out of it okay so is it does it have a lot of processes going does it have a thousand tabs open in chrome so what is the reason why it is pooling data what is it busy doing with other applications okay so that was just a quick look at what a receive window looks like or a zero window looks like in tcp and we also took a peek at the tcp window full error now i know there's more questions about tcp receive windows so go ahead and click here and you can learn a bit more about how they work in tcp you

Info

Channel: Chris Greer

Views: 19,886

Rating: undefined out of 5

Keywords: intro to wireshark, wireshark, chris greer, free wireshark training, wireshark for beginners, wireshark tutorial, packet analysis, ccna, protocol analysis, wireshark training, packet capture, wireshark training 2022, tcp deep dive, tcp/ip, tcp analysis, wireshark tcp, troubleshooting tcp, zero window, receive window

Id: x_5HlKEIViA

Channel Id: undefined

Length: 7min 11sec (431 seconds)

Published: Fri Apr 29 2022