analysis of data stream

Data analysis
Using Ethereal sniffer messages returned TCP Window Full,TCP Zero Window, TCP Update, Tcp Retransmission what is this telling me

Answer Wiki

Thanks. We'll let you know when a new response is added.

First off – if you’re wondering why you haven’t gotten many replies, it’s because you set your target audience too narrowly. Only 21 people got your question. It’s far more common to see questions with hundreds, thousands, and sometimes tens of thousands of recipients. But I’ll do what I can.

I can’t answer all of those (Never seen TCP Window Full), but I can give you a rough rundown on what it might all mean. If you want to know more, then get one of the books on the TCP/IP protocol and read through it.

Part of the TCP traffic management mechanism includes the concept of “Windowing”. The idea behind it is to improve data transfer speed by eliminating un-necessary ACKnowledgements, and the delay (latency) associated with getting those ACKs in place.

Once the 3-Way handshake is complete, each station sets a 16-bit value (called the TCP window size) to the amount of data that it is willing to receive before an acknowledgement must be sent. This is a sliding variable.

The sequence and acknowldegement numbers play in this calculation as well. Bear in mind that each station’s acknowledgement number is a reflection of the other station’s sequence number. The “reflection” part is where (using a simple example) if the sending station has an initial sequence number of 1, and it sends 1024 bytes, which are received by the other station, the other station then adds the 1024 (# of bytes received) to its ACK value. This way its “partner” knows how much data has been received by the other end.

Now if the Window size is set too large (too many packets), and timeouts or retransmissions start occuring, then the systems are going to reduce the window size so that fewer bytes will be sent before an acknowledgement is sent – the objective being to prevent data loss – even at the cost of some transmission efficiency. Since TCP is considered a reliable transport mechanism, reliability is more important than speed or efficiency.

That said, there are some implications you can make about the Ethereal messages. Some of these are NOT part of the actual data stream, but rather Ethereal’s interpretation of what’s going on, and some are:

TCP Window Full is where the window size has been set to 1, which basically chokes down transmission speed to almost nothing.

TCP Zero Window is where NO data is allowed to be sent. This is usually meant to be a connection recovery mechanism when there have been timeouts and retransmissions.

TCP Update – I have no idea what this means.

TCP Retransmission means either that the sending station did not get an acknowledgement of the data it has sent within its timeout period, or received an acknowledgement of considerably less data than it has sent already. Either way – it will retransmit the last packet sent, or even the last series of packets sent, depending on the window size, and the last received acknowledgement number.


Discuss This Question:  

There was an error processing your information. Please try again later.
Thanks. We'll let you know when a new response is added.
Send me notifications when members answer or reply to this question.

Forgot Password

No problem! Submit your e-mail address below. We'll send you an e-mail containing your password.

Your password has been sent to:

To follow this tag...

There was an error processing your information. Please try again later.

Thanks! We'll email you when relevant content is added and updated.


Share this item with your network: