Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
382
Views
2
Helpful
4
Replies

pcap uniformly shows bytes in flight greater than receive window. (??)

Go to solution
jmaxwellUSAF
VIP
VIP

‎02-26-2024 01:43 PM

While investigating network latency in a Cisco network, a pcap uniformly shows bytes in flight greater than receive window. How can that be possible?

(see picture attached)

Thank you!

Labels:
Preview file
189 KB
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
jmaxwellUSAF
VIP
VIP

‎02-28-2024 07:41 AM

I'm confident I found the answer...

[window size scaling factor -1 (unknown)]

Because the pcap does not contain the 3-way handshake, the pcap does not know the window scaling factor, so the output is erroneous.

---

what determines the final windows scaling factor? - Ask Wireshark

"It means that the trace file does not contain the TCP three-way handshake, so Wireshark does not know whether window scaling is in use, and if it is, what the window scaling factor is. If Wireshark sees the three-way handshake, and window scaling is used, Wireshark will know what window scaling factor is used by each side. Wireshark will then calculate the true window size for you by multiplying the value in the window size field by the appropriate multiplier.

If Wireshark does not see the three-way handshake, it will simply report the value of the window size field, which may or may not be the true window size, and indicate "[window size scaling factor -1 (unknown)]"

See RFC 1323 for the specification of the TCP window scale option."

View solution in original post

0 Helpful
4 Replies 4

Go to solution
Georg Pauwen
VIP
VIP

‎02-27-2024 03:23 AM

Hello,

hard to tell why you see this. Which application(s) are sending the traffic ? I think there are techniques like TCP window scaling, which allows for larger receive window sizes. In such cases, the receive window advertised by the receiver may not accurately reflect the amount of data actually received, leading to apparent discrepancies between bytes in flight and the receive window.

Go to solution
Joseph W. Doherty
Hall of Fame
Hall of Fame
In response to Georg Pauwen

‎02-27-2024 03:51 AM

Would need to see PCAP (on my phone at the moment), but @Georg Pauwen's may be correct as RWIN above 64 KB uses a scaling multiplier, i.e. actual RWIN value in packet can be much larger than it appears.

Go to solution
jmaxwellUSAF
VIP
VIP

‎02-28-2024 07:41 AM

I'm confident I found the answer...

[window size scaling factor -1 (unknown)]

Because the pcap does not contain the 3-way handshake, the pcap does not know the window scaling factor, so the output is erroneous.

---

what determines the final windows scaling factor? - Ask Wireshark

"It means that the trace file does not contain the TCP three-way handshake, so Wireshark does not know whether window scaling is in use, and if it is, what the window scaling factor is. If Wireshark sees the three-way handshake, and window scaling is used, Wireshark will know what window scaling factor is used by each side. Wireshark will then calculate the true window size for you by multiplying the value in the window size field by the appropriate multiplier.

If Wireshark does not see the three-way handshake, it will simply report the value of the window size field, which may or may not be the true window size, and indicate "[window size scaling factor -1 (unknown)]"

See RFC 1323 for the specification of the TCP window scale option."

0 Helpful

Go to solution
Joseph W. Doherty
Hall of Fame
Hall of Fame
In response to jmaxwellUSAF

‎02-28-2024 08:36 AM

Yup, large windowing is setup during the 3 way handshake - both sides have to agreed to it.  BTW, with large windowing, selective ACKs (SACK) is often advisable.

Oh, and if you're read up on large windowing, you should see windowing (if I recall correctly) scales from 128 KB to 2 GB, so as I noted earlier, window can be much larger than a 64 KB non-scaled window.

Lastly, although you noted investigating high latency, once you start to scale up the window size, again, selective ACKs can become somewhat important.

0 Helpful
Customers Also Viewed These Support Documents