Both sides of a TCP connection (client / server) maintain a receive buffer, also referred to as a receive window, for incoming data. If the receive buffer becomes full, a Zero Window Condition will occur. When a Zero Window Condition occurs, the host cannot receive any more data. Wireshark has 5 packets that represent this issue:
- Window Full (notes)
- Zero Window (warning)
- Zero Window Probe (notes)
- Zero Window Probe ACK (notes)
- Window Update (chats)
Use the following filters to zero in on these packets:
Of Wireshark only has tcp.analysis.window_update packets, neither host should have had a full buffer.