Wireshark-users: Re: [Wireshark-users] TCP Window Sizes

From: Hansang Bae <hbae@xxxxxxxxxx>
Date: Tue, 09 Sep 2008 21:49:52 -0400
Aaron Allen wrote:
I am seeing >10mbit with larger window sizes consistently on different servers.
The rtt should be lower on the second trace just because it is hitting
a different
amazon datacenter (and thus the higher throughput).

You have a server problem.  If you look at your server, you are sending
8K chunks of data with gaps in between.  So the thing about protocol
analysis is looking for patterns.  With some practice, it's amazing what
your eyes can quickly pickup.   When ball players say they can pick up
the spin of the ball or the release location/grip, I believe them.
After years of practice, I guess you can do anything.

So there's a couple of ways to see this. Click on Statistics, TCP
Streams Graph, Stevens graph (others will work too).

Once the graph comes up, left click on the "dots" four or five times to
zoom in.  Each dot represents bytes flying through the ether.  The 8
dots in a cluster represents your server's penchant for sending 1340 and
708 byte tcp datagrams.

8192 of course is also the "native" window size w/o the scaling factor. So it may be that tcp chimney offload, TCP Offload Engine or something like it is broken. At any given moment in time, you really have just 8K of data outstanding.

What does netstat -t say?  Does it show tcp offload status on the right?

--

Thanks,
Hansang