Wireshark-users: Re: [Wireshark-users] TCP Window Sizes

From: Aaron Allen <Aaron.Allen@xxxxxxxxxxxxxx>
Date: Fri, 12 Sep 2008 11:20:24 -0400
Thanks all, I've learned a great deal more about packet analysis through this experience :)

It is definitely software related.  The app I was using is s3sync which is a ruby based rsync style app for S3.  I don't think Ruby has the ability to resize the send buffer (at least not that I've found) and this is what was the cause of my issue.  I was thrown off by the seemingly small window sizes I was seeing and was sure it was TCP related.

Ruby development is certainly beyond the scope of this list, but at least I know what to look at now!  Thanks again!

-----Original Message-----
From: wireshark-users-bounces@xxxxxxxxxxxxx [mailto:wireshark-users-bounces@xxxxxxxxxxxxx] On Behalf Of Sake Blok
Sent: Friday, September 12, 2008 12:34 AM
To: Community support list for Wireshark
Subject: Re: [Wireshark-users] TCP Window Sizes

On Wed, Sep 10, 2008 at 07:23:47PM -0400, Hansang Bae wrote:
> Aaron Allen wrote:
> > My attachments were a bit too large, I have put the attachments
> > referenced below up at this site temporarily:
> > http://216.248.62.108/wireshark/

Great, thanks!

> > I'll admit, I'm confused.  I see larger window sizes in the
> > packet captures from the Vista workstation, but not from the
> > Windows 2008 server.  The packet captures from the local and
> > SPAN session vary greatly from the Vista machine.  Since that
> > NIC has "Large Send Offload" enabled, I'm guessing the
> > workstation NIC is handling segmentation, and thus the differences.

That's exactly what happens.

> > Is it possible that this is an application limitation?  I
> > really thought this should all be transparent to the app.

Well, I'm not an expert in how applications interact with the
tcp/ip stack. But it is clear that it is a local problem on
your Win2008 box.

> But the key thing here is the 8192 byte sending buffer by the
> application.  Clearly TCP is not at fault here.  But then someone in my
> team noticed something.  You are doing a PUT from IE correct?

I did not see the "User-Agent" header in the request, is this a custom
application doing the PUT? If so, could you try the same action
from a browser, to see if it makes a difference?

> See:  http://support.microsoft.com/kb/329781
>
> The PUT default sending buffer (not to be confused to TCP send buffer)
> defaults to 8192 bytes.

I agree with this, it all looks like the application is using a fixed
8K send buffer, so it is not able to fully utilize the tcp window
that Amazon advertises.

Cheers,
    Sake
_______________________________________________
Wireshark-users mailing list
Wireshark-users@xxxxxxxxxxxxx
https://wireshark.org/mailman/listinfo/wireshark-users