Wireshark-users: Re: [Wireshark-users] TCP Window Sizes

From: Aaron Allen <Aaron.Allen@xxxxxxxxxxxxxx>
Date: Wed, 10 Sep 2008 10:39:12 -0400
Sake,
Sorry, to be more clear:
Windows 2008 -> Amazon (this is where I'm seeing problems)
Vista Workstation -> Amazon (I consistently get 8-10mbit)

I've attached local and SPAN packet captures from two uploads to S3.  The "largewindow" captures are from the Vista workstation and the "smallwindow" captures are from the windows 2008 server.

The NIC in the server is an Intel Pro 1000 MT and I have disabled "Large Send Offload" (which is intel slang for TCP segmentation offloading).  Of course, drivers are updated.

Hansang,
I see what you are talking about when I look at the TCP graphs.  Netstat -t is showing the connections in state "InHost" which would eliminate the possibility of offload problems (I assume?).

I'll admit, I'm confused.  I see larger window sizes in the packet captures from the Vista workstation, but not from the Windows 2008 server.  The packet captures from the local and SPAN session vary greatly from the Vista machine.  Since that NIC has "Large Send Offload" enabled, I'm guessing the workstation NIC is handling segmentation, and thus the differences.

Is it possible that this is an application limitation?  I really thought this should all be transparent to the app.

Thanks for all your help!

-----Original Message-----
From: wireshark-users-bounces@xxxxxxxxxxxxx [mailto:wireshark-users-bounces@xxxxxxxxxxxxx] On Behalf Of Sake Blok
Sent: Tuesday, September 09, 2008 4:46 PM
To: Community support list for Wireshark
Subject: Re: [Wireshark-users] TCP Window Sizes

On Tue, Sep 09, 2008 at 04:00:34PM -0400, Aaron Allen wrote:
> I am seeing >10mbit with larger window sizes consistently on
> different servers.  The rtt should be lower on the second trace
> just because it is hitting a different amazon datacenter (and
> thus the higher throughput).

When you say "on other servers", do you mean "from other servers
towards the amazon server" or "from this Win2008 server towards
other servers"?

I do still see that there are two packets sent every time, adding
up to 2048 bytes. Are you sure TCP segmenting offloading is off?
Looks to me like the NIC is still splitting up the 2K packets
it gets from the application. Your server does not seem to
honor the high windowsize that is offered by the amazon server.
If it did, it should blast out many packets pefore needing
an ack. And in the 2nd trace that you sent, it only sends out
8K before needing an ack.

Looks like somehow you're hitting a buffer size locally.

I'm still interested in a trace made on the server and one on the
span port at the same time (with tcp segment offloading enabled).
For reference it would be nice if you could do the same for one
"other server" on which you see good throughput. So in total that
would result in 4 tracefiles. Please use ip-addresses instead of
names so that the traces can be compared in regard to rtt times.

Cheers,
    Sake
_______________________________________________
Wireshark-users mailing list
Wireshark-users@xxxxxxxxxxxxx
https://wireshark.org/mailman/listinfo/wireshark-users

Attachment: largewindow-local.pcap
Description: largewindow-local.pcap

Attachment: largewindow-span.pcap
Description: largewindow-span.pcap

Attachment: smallwindow-local.pcap
Description: smallwindow-local.pcap

Attachment: smallwindow-span.pcap
Description: smallwindow-span.pcap