Tcp zero windows segment

Время на прочтение5 мин

Количество просмотров6.5K

Задержки (а по‑простому тормоза) в работе сети вряд ли кого‑то оставят равнодушным. Мы все очень не любим, когда медленно загружаются наши любимые веб‑ресурсы, или когда обрывается на 99% загрузка какого‑либо файла. Причин тормозов в сети может быть много — от проблем на физическом уровне и до медленной работы на уровне приложений. Сегодня мы поговорим об одной из причин задержек в сети, которую можно выявить с помощью анализатора пакета Wireshark. При этом не имеет особого значения, передается ли наш трафик в открытом виде или прячется за SSL: на верхние уровни мы забираться не будем. Важно только то, что это TCP трафик.

Окна в TCP

Протокол TCP содержит в своей архитектуре ряд функций, позволяющих препятствовать потере пакетов — например, такие механизмы, как повторные передачи и дублирующие подтверждения. Для предотвращения начала потери пакетов в TCP используется механизм скользящего окна (sliding‑window).

В механизме скользящего окна используется окно приема на стороне получателя пакетов для управления потоком данных. Принимающий хост указывает размер окна приема в байтах, сохраняет его в ТСР‑заголовке и сообщает передающему хосту, сколько данных он готов сохранить в памяти своего ТСР‑буфера. Именно в этой памяти данные временно хранятся до тех пор, пока они не будут переданы вверх по стеку протоколов на уровень приложений для последующей обработки. В итоге передающий хост может одновременно послать только то количество данных, которое указано в поле Window size (Размер окна) заголовка, полученного в ответ пакета ТСР. Чтобы передающий хост мог послать больше данных, принимающий хост должен отправить ему подтверждение о получении предыдущей порции данных. Он должен также очистить память своего ТСР‑буфера, обработав данные, занимающие эту память.

Картинка с сайта: habr.com

В целом, все достаточно просто. Принимающая сторона говорит, что готова принять, условно, три блока данных, отправитель передает их. Получает отправляет подтверждение, после чего отправляются следующие три блока данных и так далее.

В идеальном мире с постоянной пропускной способностью каналов размер окна действительно был бы постоянным значением. Однако, в реальности загрузка канала у нас постоянно меняется, и вместе с ней меняется и размер Window size. Процесс изменения размеров окна приема действует как в сторону уменьшения, так и увеличения. Так, если сервер способен обработать данные с большей скоростью, он может послать подтверждающий пакет АСК с большим размером окна приема.

Но ниже представлен пример приложения, у которого по каким‑то причинам уменьшился объем памяти, доступной в буфере, в результате чего получатель был вынужден уменьшить размер окна.

Картинка с сайта: habr.com

В случае, если получателю удалось решить свои проблемы с памятью, окно может быть снова увеличено. Но если быстро решить проблемы не удалось, и есть риск, что следующий блок данных обработать не удастся, получатель может указать размер Window=0. Что произойдет в таком случае?

Получив такой пакет, клиент прервет передачу данных и будет периодически отправлять пакет поддержания активным соединения. По сути, мы просто поддерживаем TCP соединение, при этом не передавая никаких данных. Когда получатель наконец‑то решит свои проблемы с памятью, он отправит пакет с обновлением размеров окна и передача полезной нагрузки продолжится.

От теории к практике

Теперь давайте вооружимся Wireshark и посмотрим, как выглядит соответствующий трафик.

В примере ниже у нас происходит информационный обмен между 192.168.0.20 и 192.168.0.30. В первых трех ACK пакетах значение Window уменьшается, видимо, у получателя проблемы с памятью и он не может обрабатывать больший объем данных.

Затем получатель отправляет пакет с нулевым окном. Однако после этого, по прошествии небольшого интервала времени, он отправляет обновление информации о размерах окна, в результате чего передача полезной нагрузки возобновляется.

Картинка с сайта: habr.com

В самом пакете информация о размере окна находится в TCP заголовке:

Картинка с сайта: habr.com

Теперь посмотрим более печальный случай: когда получателю не удается быстро решить свои проблемы с памятью и значение Window остается нулевым некоторое время.

Картинка с сайта: habr.com

Здесь мы видим обмен трафиком между двумя узлами. В какой‑то момент один из участников отказывается принимать полезную нагрузку, отправив TCP ZeroWindow. После этого второй участник обмена с некоторой периодичностью отправляет Keep‑Alive пакеты, на которые первый участник продолжает отвечать нулевыми окнами. Пакеты Keep‑Alive также являются служебными и не несут в себе никакой полезной нагрузки.

Как искать

В приведенных примерах наши служебные пакеты были представлены в уже отфильтрованном виде без лишнего трафика. В реальных дампах у нас будет много других пакетов, и нам потребуется осуществить фильтрацию.

Для того чтобы отфильтровать в Wireshark пакеты с определенным размером окна, нужно воспользоваться фильтром tcp.window_size_value.

Например, для того, чтобы найти все пакеты с ненулевым размером окна, нужно указать tcp.window_size_value > 0

Для фильтрации пакетов с ZeroWindow можно, конечно, явно указать фильтр tcp.window_size_value == 0, а можно воспользоваться фильтром

tcp.analysis.zero_window

Для обнаружения Keep_Alive воспользуемся фильтром tcp.analysis.keep_alive

Картинка с сайта: habr.com

Также узнать, как с течением времени менялось значение TCP Window, можно с помощью графика. Для этого нужно выбрать Statistics → TCP Stream Graph → Window Scaling.

Картинка с сайта: habr.com

Заключение

Механизм скользящего окна, о котором мы сегодня говорили, непосредственно связан с неспособностью сервера принимать и обрабатывать данные. Любое уменьшение размера окна приема или даже его установка в нулевое состояние является непосредственным результатом какого‑то затруднения, возникшего на сервере. Поэтому, если вы видите большое количество таких пакетов в трафике, то это верный признак проблем с производительностью на принимающем узле и возможная причина задержек и сбоев в работе сетевых приложений.

В завершение рекомендую открытые уроки в Otus, подробнее о них ниже. Занятия пройдут в онлайн-формате и будут полезны сетевым инженерам, сетевым архитекторам и всем, кто глубоко интересуется современными сетевыми технологиями.

• 5 февраля: ISIS vs. OSPF, или почему же ISIS до сих пор проигрывает битву OSPF в корпоративных сетях? Записаться

• 18 февраля: Надежность и сети, или почему скорость сходимости STP уже очень давно никому не нравится? Записаться

Recently, I have been sent a network trace file to analyze. The common complains were related poor (slow) TCP performance. After examining the trace file in detail, I found the culprit was TCP Zero Window packets.

What is TCP Zero Window?

In previous article (https://www.golinuxcloud.com/tcp-receive-window/), I have explained what a TCP receive window is. TCP zero window is a mechanism used to control the data flow. When receiver gets overwhelmed by sender, it can reduce its receive window. If it fills, the receiver reduces the receive window to zero which simply means that “I am full, please do not send any more data”. The sender will not send any data until the receiver frees (processes) the data in the receive window (TCP buffer). Once the buffer gets empty, the receiver increases (updates) the receive window and informs the sender that it has a free buffer to store some data.

Assume we have a sender and a receiver exchanging data like figures below. I will overview TCP zero window in a couple of steps.

Step-1: Zero window only happens when TCP is used as the transport protocol. There is no such thing in UDP. During TCP 3way handshaking both the sender and the receiver advertise their receive window. As seen below, the receiver sets its receive window to 4 bytes. The same goes for the sender. For sake of simplicity, each cell represents a byte. At the start, both of the buffers are fully free.

Картинка с сайта: www.golinuxcloud.com

Step-2: The application on the sender delivers 4 bytes to the sender’s buffer and the sender sends one of them to the receiver like below. The receiver stores the data in its buffer and acknowledges the sender with the window size of 3.

Картинка с сайта: www.golinuxcloud.com

Step-3: The sender puts another byte on the fly, freeing its buffer one more byte. As soon as the receiver gets the data, it places it in one of the free cells and lets the sender know there are only two cells left free with setting receive window to 2.

Картинка с сайта: www.golinuxcloud.com

 Step-4: The same pattern happens here as well.

Картинка с сайта: www.golinuxcloud.com

Step-5: In this step, the sender sends the last byte in the buffer to the receiver. The receiver stores the data in its buffer. As seen below, the receiver’s application has not emptied the buffer. Because of that, there is no room for storing more data in the buffer, the receiver has to inform the server to stop sending more data with setting its receive window to zero. Once the sender sees the zero window, it stops sending data until the receiver increasing its receive window.

Картинка с сайта: www.golinuxcloud.com

Step-6: The application on the server delivers some data to TCP and the data is stored in the buffer. Since the sender has not gotten any window update from the receiver, it has to wait without sending any data. This causes a delay in the network. As a result, the clients experience a slow network.

Картинка с сайта: www.golinuxcloud.com

 Step-7: The receiver frees 3 cells (bytes) and lets the server know that. After this step, the server will continue to send the data.

Картинка с сайта: www.golinuxcloud.com

Analyzing TCP Zero Window in Wireshark

Zero window generally happens when there is heavy data exchange between the parts and low resources to consume. It is not easy to reproduce a TCP window zero event in a lab, so I will use Curl tool to cause a TCP zero window. It provides rate limiting by specifying the maximum upload and download transfer rate.

Step-1: For demonstration, I will use Curl to download a web page with setting rate limit 1K for each direction (download and upload). After starting Wireshark, apply the command below for rate limiting. The tool will optimize TCP receive window accordingly.

┌──(kali㉿kali)-[~]
└─$ wget http://info.cern.ch/hypertext/WWW/TheProject.html --limit-rate=1K
--2022-06-03 15:00:05--  http://info.cern.ch/hypertext/WWW/TheProject.html
Resolving info.cern.ch (info.cern.ch)... 188.184.21.108, 2001:1458:d00:34::100:125
Connecting to info.cern.ch (info.cern.ch)|188.184.21.108|:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 2217 (2.2K) [text/html]
Saving to: ‘TheProject.html.7’
 
TheProject.html.7             100%[=================================================>]   2.17K  1023 B/s    in 2.2s
 
2022-06-03 15:00:07 (1023 B/s) - ‘TheProject.html.7’ saved [2217/2217]
┌──(kali㉿kali)-[~]

Following screenshot shows the packets I captured. Notice that there is some nice expert info related to “[TCP ZeroWindow]” and “[TCP Window Full]”.

Картинка с сайта: www.golinuxcloud.com

Step-2: The receiver advertises its receive window of 1152 bytes to the sender in the packet number 1.

Картинка с сайта: www.golinuxcloud.com

Step-3: The sender advertises its receive window of 28960 bytes to the receiver in the packet number 2.

Картинка с сайта: www.golinuxcloud.com

Step-4: After completing TCP 3way handshaking, the receiver sends a http GET request in packet number 4.

Картинка с сайта: www.golinuxcloud.com

Step-5: After receiving the request, the sender (the server) responses with a packet size of 576 bytes in packet number 6.

Картинка с сайта: www.golinuxcloud.com

Step-6: The sender sends another packet with size of 576 bytes in packet number 8. The total number of bytes sent to the receiver is equal to 576+576=1152. Since it is equal to receive window, Wireshark predicts that the receiver receive window has been filled.

Картинка с сайта: www.golinuxcloud.com

Step-7: The receiver ACKs the sender with packet number 9, which means the receiver has freed the receive window.

Картинка с сайта: www.golinuxcloud.com

Step-8: The sender sends a packet size of 1152 bytes, which fills the receiver receive window. Wireshark shows that in packet number 10.

Картинка с сайта: www.golinuxcloud.com

Step-9: Since the receiver window is full, the receiver notifies the server to stop sending data with setting window size to zero in packet number 11.

Картинка с сайта: www.golinuxcloud.com

Step-10: with packet number 12, the sender ACKs the receiver and tells it to keep the connection alive.

Картинка с сайта: www.golinuxcloud.com

Step-11: The receiver keeps setting its window to zero in packet number 13.

Картинка с сайта: www.golinuxcloud.com

Step-12: The receiver and sender keep repeating the same pattern for the next two packets.

Картинка с сайта: www.golinuxcloud.com

Step-13: After freeing the buffer, the receiver updates its window to 1152 and the data transfer starts again. When we look at the time column, we can see that the zero window caused almost 2 seconds delay.

Картинка с сайта: www.golinuxcloud.com

Final thoughts

TCP zero window plays a great role in experiencing a slow network. There can be variety of reason behind it. To address some common reason:

Check if both side the sender and the receiver advertise window scaling, which lets use of much larger receive window. The larger buffers mean less overwhelm.  It is important that both side supporting window scaling, otherwise window scaling will not be utilized. Window scaling only works if both sides include it as an option during the initial 3-way handshake.

To investigate the culprit behind TCP zero window, one should take a look at the receiver resources to find out why the receiving buffer does not get emptied in the time. The receiver resources need to be observed, including counters for logical disk, physical disk, RAM, page file, all the TCP counters, processes and CPU.

References

https://accedian.com/blog/tcp-receive-window-everything-need-know/
https://www.linkedin.com/pulse/tcp-retransmits-window-size-0-problem-maybe-larry-brasher-brasher
https://packetpioneer.com/wireshark-graphing-tcp-zero-windows/
https://support.f5.com/csp/article/K35612380

1. Introduction

By default, Wireshark’s TCP parser tracks the status of each TCP session and provides additional information when issues, such as a TCP Zero Window, or potential problems are detected. When a capture file is first opened, each TCP packet, including those indicating a TCP Zero Window condition, is analyzed in the order they appear in the packet list. This functionality, which can help identify TCP Zero Window occurrences, can be enabled or disabled through the “Analyze TCP sequence numbers” TCP parser preference.

2. TCP Analysis Overview

In TCP analysis, three key pieces of information are related to TCP Zero Window: TCP Zero Window, TCP ZeroWindowProbe, and TCP ZeroWindowProbeAck. In real-world scenarios, these may occur individually, such as TCP Zero Window, or together, indicating a zero window followed by necessary probes and acknowledgments for window recovery. When performing TCP analysis in packet files, “TCP ZeroWindow” typically displays as [TCP ZeroWindow] in the Info column of the Packet List window, while in the Packet Details window, it is defined under [SEQ/ACK analysis] -> [TCP Analysis Flags].

Картинка с сайта: www.ids-sax2.com

3. TCP Zero Window Definition

The definition of TCP Zero Window in TCP analysis is relatively straightforward. It is set when the receive window size is 0 and none of the SYN, FIN, or RST flags are set, indicating that the receiver is notifying the sender to pause data transmission.

The window field in each TCP header advertises the amount of data a receiver can accept. If the receiver can’t accept any more data, it will set the window value to zero, signaling the sender to pause its transmission. In some cases, this is normal — for instance, a printer might use a zero window to pause while loading or reversing a sheet of paper. However, in most cases, it indicates a performance or capacity issue on the receiving end. Resuming a paused connection can take a long time, sometimes several minutes, even if the underlying issue that caused the zero window resolves quickly.

4. Code Example

The following code represents a key part of Wireshark’s analysis of TCP traffic handling zero window notifications, aiding in the correct interpretation and display of TCP connection status and control information. When both conditions—receive window size being 0 and none of the SYN, FIN, or RST flags being set—are met, the packet is classified as a zero window notification. This indicates that the receiver has no available buffer space for incoming data and thus notifies the sender to pause transmission.

/* ZERO WINDOW
 * a zero window packet has window == 0 but none of the SYN/FIN/RST set
 */
if (window == 0 && (flags & (TH_RST | TH_FIN | TH_SYN)) == 0) {
    if (!tcpd->ta) {
        tcp_analyze_get_acked_struct(pinfo->num, seq, ack, TRUE, tcpd);
    }
    tcpd->ta->flags |= TCP_A_ZERO_WINDOW;
}

5. Packetdrill Example

Based on the above TCP Zero Window definition and code explanation, the logic of TCP analysis is simple, making it easy to simulate relevant phenomena using Packetdrill.

# cat tcp_zero_window.pkt 
0   socket(..., SOCK_STREAM, IPPROTO_TCP) = 3
+0  setsockopt(3, SOL_SOCKET, SO_REUSEADDR, [1], 4) = 0
+0  bind(3, ..., ...) = 0
+0  listen(3, 1) = 0
+0  < S 0:0(0) win 1000 <mss 1460>
+0  > S. 0:0(0) ack 1 <...>
+0.01 < . 1:1(0) ack 1 win 1000
+0 accept(3, ..., ...) = 4
+.1 write(4, ..., 1000) = 1000
+0 > P. 1:1001(1000) ack 1
+0.1 < . 1:1(0) ack 1001 win 0

Wireshark displays the information such that No.6 is marked as [TCP Zero Window] because the window is 0 and none of the SYN, FIN, or RST flags are set.

Картинка с сайта: www.ids-sax2.com

6. Instances of TCP Zero Window

Examples of TCP Zero Window instances are not commonly seen in everyday packet captures. However, when observed, they indicate that the receiving window is 0, meaning the receiver cannot accept data due to performance or capacity issues, signaling the sender to pause transmission. If the window recovery time is long, the TCP transmission rate will naturally decline, and repeated occurrences will noticeably slow application transmission. Various scenarios may also be accompanied by TCP Window Update, TCP ZeroWindowProbe, and TCP Zero WindowProbeAck messages.

6.1. TCP Window Full + TCP Zero Window + TCP Window Update

A common zero window scenario involves a brief instance where the receiving window is 0, immediately followed by a window update message. Initially, the server sends data, detects a full client receive window, and marks it as [TCP Window Full]. Subsequently, the client, marked as [TCP ZeroWindow] due to the window being 0, sends a [TCP Window Update] message 12ms later, restoring the window to 4536.

Картинка с сайта: www.ids-sax2.com

6.2. TCP Window Full + TCP Zero Window + TCP ZeroWindowProbe + TCP Window Update

In another zero window scenario, the receiving window becomes 0, and the TCP ZeroWindow notification is sent. After some time, the sender sends a TCP ZeroWindowProbe packet. Upon receiving the probe, the receiver replies with a TCP Window Update, confirming the window’s restoration.

Картинка с сайта: www.ids-sax2.com

6.3. TCP Window Full + TCP Zero Window + TCP ZeroWindowProbe + TCP ZeroWindowProbeAck + TCP Window Update

This scenario includes all five TCP analysis flags. The client sends data, discovers that the server’s receive window is full, and marks it as [TCP Window Full]. The server then marks No.7 as [TCP Zero Window]. After a wait of about 2 seconds, the client sends a TCP Zero Window Probe, and the server responds indicating the zero window has not yet recovered, marked as [TCP Zero Window Probe Ack] + [TCP Zero Window]. Following another 300ms, the server sends a TCP Window Update, restoring the window to 14600, completing a full cycle of zero window occurrence, probing, and recovery.

Картинка с сайта: www.ids-sax2.com

Similar scenarios are as follows:

Картинка с сайта: www.ids-sax2.com

7. Conclusion

In summary, while TCP Window Full does not necessarily indicate a TCP Zero Window occurrence, the presence of a TCP Zero Window suggests there must have been a prior TCP Window Full event.

Wireshark is a software designed to troubleshoot communication networks, but communication does not live alone. Usually when users complain about a “slow network” they actually mean “something here works slow”, and of course, the network is the first to blame. Wireshark that is commonly used for network analysis can also show you indications, and in many cases to discover problems that comes from the applications and the computing hardware.

This article is based on the Wireshark courses series: Wireshark Basics, Core Protocols Analysis, Applications Protocols Analysis and Network Forensics.

One of the simple ways to discover slowness in end points (PCs, servers or applications running on them) is locating slowness issues with the TCP Sliding Windows mechanism.

How does this mechanism work? quite simple. When two stations open a TCP connection each side informs the other what is the size of the memory it allocates for the process (A process can be file transfer, DB Client talking to DB Server, browsing a web server in HTTP or any other application that works over TCP), referred to as a memory buffer. The buffer size is set during TCP connection establishment and can be changed during operation.

The size of the window in memory determines the rate of data transfer, according to the approximate formula:

Картинка с сайта: ndi-com.com

When:

• Throughput – effective application bytes/sec.
• Round Trip Time (RTT) – time between sent packet and the acknowledge for that packet.
• Window Size – size of the memory buffer on the receiver side.

The TCP Sliding Window mechanism principle is simple: for each process, the receiver allocates a buffer in its memory for receiving bytes from the sender. The sender sends bytes to the receiver, continuously filling the receiver buffer. The receiver on its side reads the information from the buffer, empties the buffer, and send an acknowledge back to the sender confirming that data has arrived.

If the receiver works properly, it will clear the buffer fast enough and send acknowledges on time to the sender. If the receiver is slow, or the applications that runs on it is slow, it will not clear the buffer fast enough, that will cause one of the two things (or both):

1. Since Wireshark sees the window size of the receiver (it is sent in the window size field in every packet), and it sees also the number if bytes that were sent before they were acknowledged, Wireshark can notify that [receiver window is full] (square brackets indicate that Wireshark discovered this issue in the packet stream)
2. When the receiver will see that its window is full, it will reduce the size of the window it advertises to the sender to zero. In this case Wireshark discover a window size value of “0” and present a “Zero Window” message.

Let’s look at some examples. First, every time I test a network using Wireshark, one of the first things I do is open the Expert Information window (from the Analysis menu) and see if there are any unusual effects. In our case, we see warnings and notes with various TCP window issues (see image below).

Картинка с сайта: ndi-com.com

When we right click on the “TCP Zero Window segment” and chose “apply as Filter” and “Selected”, and we will get all the packets in which Wireshark has discovered it.

Картинка с сайта: ndi-com.com

On the display-window bar, we see that the tcp.analysis.zero_window filter was used, and in the packet list we see all the packets that this filter applied to. From here we can see that for example on the first packet, packet 2284, a TCP Zero-window was sent from the sender 192.168.13.128 TCP port 4180 to the receiver 91.208.139.200 port 443. That happens when the sender tells the receiver to stop sending it additional packets.

To isolate the problem, and see if it happens on other connections, we will choose Statistics à Conversations, and click on the “Limit to display filter” checkbox.

Картинка с сайта: ndi-com.com

We see that the only connections that appears here is the connection between the source 192.168.13.128 port 4180 to destination 91.208.139.200 port 443.

Right-clicking on this connection and choosing it will bring s back to the main Wireshark window, and on the packet list we will see that every certain amount of time a zero-window is send from 192.168.13.128 to 91.208.139.200. In the next figure we see that Wireshark discovers a TCP window full” on data sent from 91.208.139.200 to 192.168.13.128 in packet 2487, and two packets later 192.186.13.128 reduces its window to zero – telling the server to stop sending it more information.

Картинка с сайта: ndi-com.com

Clicking in packet 2487, that is on a packet carrying information from the server to the client and choosing TCP stream graphs à Window scaling from the statistics menu will show us how the receiver window behaves, and we see clearly that it is “choked” many times during this data transfer from the server.

Картинка с сайта: ndi-com.com

And if you zoom into it, you will see that there is a serious window issue on the client – probably a slow client or a slow browser. What we can see in the stream graphs – this worth another article, and we will get back to you on it.