Confusion regarding the TCP window size - TCP-IP

This is a discussion on Confusion regarding the TCP window size - TCP-IP ; Hi, I am reading the TCPDUMP output by sniffing packets on a machine which is accepting request on port 21. The output is as follows. "" sudo /usr/sbin/tcpdump -i eth0 host 10.128.0.2 tcpdump: verbose output suppressed, use -v or -vv ...

+ Reply to Thread
Results 1 to 2 of 2

Thread: Confusion regarding the TCP window size

  1. Confusion regarding the TCP window size

    Hi,

    I am reading the TCPDUMP output by sniffing packets on a machine
    which is accepting request on port 21.
    The output is as follows.
    ""
    sudo /usr/sbin/tcpdump -i eth0 host 10.128.0.2
    tcpdump: verbose output suppressed, use -v or -vv for full protocol
    decode
    listening on eth0, link-type EN10MB (Ethernet), capture size 96 bytes
    16:38:56.832118 IP 10.128.0.2.33846 > ratheesh.ftp: S
    512021751:512021751(0) win 5840 0,nop,wscale 2>
    16:38:56.833201 IP ratheesh.ftp > 10.128.0.2.33846: S
    1246138828:1246138828(0) ack 512021752 win 5792 1460,sackOK,timestamp 3756663 1840785658,nop,wscale 2>
    16:38:56.897908 IP 10.128.0.2.33846 > ratheesh.ftp: . ack 1 win 1460


    ""
    I am confused regarding the window size that both sender and
    receiver advertises.
    Here , sender is advertising a window size of 5840 bytes and
    receiver is advertising a
    window size of 5792 bytes. After that the window size is negotiated
    to 1460 bytes.

    From where these values of window size are taken when a connection
    is established.Is it
    configurable . There are two kernel parameters through which we can
    manage the TCP window
    size.Is it anyway related to these values.
    The value are as follows on both sender and receiver.

    net.core.rmem_max = 131071
    net.core.wmem_max = 131071
    net.ipv4.tcp_rmem = 4096 87380 174760
    net.ipv4.tcp_wmem = 4096 16384 131072

    Thanks in Advance.


  2. Re: Confusion regarding the TCP window size

    query.cdac@gmail.com wrote:

    > sudo /usr/sbin/tcpdump -i eth0 host 10.128.0.2
    > tcpdump: verbose output suppressed, use -v or -vv for full protocol
    > decode
    > listening on eth0, link-type EN10MB (Ethernet), capture size 96 bytes
    > 16:38:56.832118 IP 10.128.0.2.33846 > ratheesh.ftp: S
    > 512021751:512021751(0) win 5840 > 0,nop,wscale 2>
    > 16:38:56.833201 IP ratheesh.ftp > 10.128.0.2.33846: S
    > 1246138828:1246138828(0) ack 512021752 win 5792 > 1460,sackOK,timestamp 3756663 1840785658,nop,wscale 2>
    > 16:38:56.897908 IP 10.128.0.2.33846 > ratheesh.ftp: . ack 1 win 1460
    >
    >
    > ""
    > I am confused regarding the window size that both sender and
    > receiver advertises.


    Because tcpdump output is not honouring the wscale option of the tcp
    handshake for subsequent session packages.

    2^2*1460=5840...

    Try tshark and you will see everything is fine.

    Markus

+ Reply to Thread