Needs help to understand the wireshark results of a data transferring

Posted on

Needs help to understand the wireshark results of a data transferring – Managing your servers can streamline the performance of your team by allowing them to complete complex tasks faster. Plus, it can enable them to detect problems early on before they get out of hand and compromise your business. As a result, the risk of experiencing operational setbacks is drastically lower.

But the only way to make the most of your server management is to perform it correctly. And to help you do so, this article will share nine tips on improving your server management and fix some problem about linux, samba, tcp, wireshark, .

In my LAN, I have a router that runs a Samba server and my PC connects to the router.

I wiresharked during uploading a file from my PC to the samba server.

Below is a shortcut of the wireshark result,

enter image description here

As can be seen, after server’s reply in frame 7560, my PC sends several packets which are all full sized(frame with 1514 bytes).

enter image description here

But in frame 7560, the advertised window size is 94 bytes.

And the above situation happens throughout the results.

So, what I cannot understand is how can my PC sends almost 30000+ bytes while the last packets from the server only advertise a 94 bytes window.

Solution :

Window size is affected by network buffer size, the default setting in Linux 2.6 should be fine, in case the network buffer is too small, use following
recommded value for Gigabit Ethernet

sysctl -w net.ipv4.tcp_rmem="40960       1048560 4194304"
sysctl -w net.ipv4.tcp_wmem="40960       196608  4194304"
sysctl -w net.core.rmem_max=4194304
sysctl -w net.core.wmem_max=4194304

more details

You can use iperf to detect window size, if it reports fine for server’s local NIC, then it might be issue with the router or app

I would think this is TCP Window Scaling at work – it probably has been negotiated at connection setup and is not taken into account by Wireshark. So the advertised window size is not 94 Bytes but (2^ x) * 94 where x is the scaling factor.

Leave a Reply

Your email address will not be published.