Wireshark-users: Re: [Wireshark-users] TCP windows update

From: Guy Harris <guy@xxxxxxxxxxxx>
Date: Tue, 1 Mar 2011 15:25:43 -0800
On Mar 1, 2011, at 3:08 PM, Andrej van der Zee wrote:

> I thought there is a difference between a windows advertisement and a
> windows update. The latter, I thought, changes the allowed buffer size
> at the receiver side. Or is this *not* called a windows update?

At the protocol layer, all you have is, in every packet, a "Window" field that specifies

  Window:  16 bits

    The number of data octets beginning with the one indicated in the
    acknowledgment field which the sender of this segment is willing to
    accept.

so every single TCP segment advertises a window.  So, at the protocol layer - i.e., the layer of what information is delivered in a PDU - a "window update" would just be a window advertisement that advertises a window size different from the previous advertisement.

Wireshark labels as a "Window update" a "0 byte segment with the same SEQ/ACK numbers as the previous seen segment and with a new window value", to quote the comment in the code; that means a packet that does nothing *other* than send a new value for the sender's receive window.  That doesn't mean that the TCP segment header doesn't support sending a bunch of data *and* telling the recipient that your receive window has changed its size.  Unless I've missed something, there's no reason why, if you have data to send at the time you want to tell your peer that the window size has changed, and the peer's window is open (so that you *can* send that data), you can't do it in one packet rather than sending a data packet and a separate just-update-the-window packet.