Wireshark-users: Re: [Wireshark-users] TCP Window Sizes

From: "Brett Turner" <bturner@xxxxxxxxxxxxxxxx>
Date: Tue, 9 Sep 2008 18:54:27 -0700

----- Original Message -----
From: wireshark-users-bounces@xxxxxxxxxxxxx <wireshark-users-bounces@xxxxxxxxxxxxx>
To: Community support list for Wireshark <wireshark-users@xxxxxxxxxxxxx>
Sent: Tue Sep 09 18:49:52 2008
Subject: Re: [Wireshark-users] TCP Window Sizes

Aaron Allen wrote:
> I am seeing >10mbit with larger window sizes consistently on different servers.
>The rtt should be lower on the second trace just because it is hitting 
a different
> amazon datacenter (and thus the higher throughput).

You have a server problem.  If you look at your server, you are sending
8K chunks of data with gaps in between.  So the thing about protocol
analysis is looking for patterns.  With some practice, it's amazing what
your eyes can quickly pickup.   When ball players say they can pick up
the spin of the ball or the release location/grip, I believe them.
After years of practice, I guess you can do anything.

So there's a couple of ways to see this. Click on Statistics, TCP
Streams Graph, Stevens graph (others will work too).

Once the graph comes up, left click on the "dots" four or five times to
zoom in.  Each dot represents bytes flying through the ether.  The 8
dots in a cluster represents your server's penchant for sending 1340 and
708 byte tcp datagrams.

8192 of course is also the "native" window size w/o the scaling factor. 
  So it may be that tcp chimney offload, TCP Offload Engine or something 
like it is broken.  At any given moment in time, you really have just 8K 
of data outstanding.

What does netstat -t say?  Does it show tcp offload status on the right?

-- 

Thanks,
Hansang

_______________________________________________
Wireshark-users mailing list
Wireshark-users@xxxxxxxxxxxxx
https://wireshark.org/mailman/listinfo/wireshark-users