LMTV LIVE | Resilience Within A Security Architecture (with Keith Bromley and Steve McGregory)
A Line in the Silicon (by Paul W. Smith)

Wireshark Quick Tip - Graphing TCP Zero Windows with tcptrace (by Chris Greer)

There is a handy new feature in Wireshark that just made looking at one of my favorite trace files a little more interesting.

The tcptrace graph has been used by analysts for years to graph the efficiency of data transfers over TCP. It helps us to see sequence number increase over time, the receive TCP window, bytes in flight, retransmissions and acknowledged data. That way if there is a hitch in a download or large transfer, you can quickly spot if the issue and get to digging for root cause.

In the screenshot below we see a tcptrace graph with all the pertinent info.

Tcptrace graph Wireshark

This graph is great. It has been a huge help for years. As you can see above, there is a long pause in the data transfer, and with a few clicks we can start to deep dive.

But until recently, there was one thing missing that is very important to know when analyzing data transfers – zero windows.

When the receiver has a TCP window (or TCP receive buffer as we could call it) that goes to zero, the sender has to pull on the brakes to halt the data transfer. The receiver, in many cases the client side, isn’t keeping up with the ingress data stream and is alerting that the sender needs to stop so it can catch up. This can cause huge problems in data transfers and at times is the root cause of file transfer performance issues.

In recent updates of Wireshark, now we can see these “halt” packets displayed for us as an X in the stream.

In this file transfer, the client side zero window was a big part of where time was lost. Now using the tcptrace graph, we can spot them more easily. This screen shows the other direction of traffic in the conversation, from the receiver's perspective, so we don't see a large increase in the sequence numbers. After all, data isn't flowing in this direction! But, we do see the zero windows. 

TCP Zero Window tcptrace

Thanks Wireshark developers!! This is very handy in spotting problems that are rooted in zero windows. Hope it is helpful to you as well, good reader. 

Keep on capturing packet people.

Got network problems? Get in touch!

Author Profile - Chris Greer is a Chief Packet Head for Packet Pioneer LLC and a Certified Wireshark Network Analyst. Chris regularly assists companies in tracking down the source of network and application performance problems using a variety of protocol analysis and monitoring tools including Wireshark. Chris also delivers training and develops technical content for Wireshark and for several analysis vendors. 

Chris Greer Packet Pioneer Logo

Comments