Discussion:
[Bro] window_recision
Thomas Mullins
2013-12-16 18:11:05 UTC
Permalink
Hello everyone,

While searching our BRO logs, I came across a few hosts giving window_recision errors. A Google search did not shed any light on this subject. What does window_recision mean?

Thanks
Shane
Siwek, Jonathan Luke
2013-12-16 19:48:34 UTC
Permalink
Post by Thomas Mullins
While searching our BRO logs, I came across a few hosts giving window_recision errors. A Google search did not shed any light on this subject. What does window_recision mean?
I think it means that a TCP shrunk its recv-window by more than the amount of data its ACKing. i.e. in https://tools.ietf.org/html/rfc793#section-3.7 :

The mechanisms provided allow a TCP to advertise a large window and to
subsequently advertise a much smaller window without having accepted
that much data. This, so called "shrinking the window," is strongly
discouraged. The robustness principle dictates that TCPs will not
shrink the window themselves, but will be prepared for such behavior
on the part of other TCPs.

- Jon
Seth Hall
2013-12-16 19:51:57 UTC
Permalink
Post by Thomas Mullins
While searching our BRO logs, I came across a few hosts giving window_recision errors. A Google search did not shed any light on this subject. What does window_recision mean?
I've been curious about this myself at a few sites that see a surprisingly high number of window_recision weird. My suspicion is that it's due to some middle box on the network that is running out of buffer space. Are you monitoring at your border and do you have a border firewall?

.Seth

--
Seth Hall
International Computer Science Institute
(Bro) because everyone has a network
http://www.bro.org/

Loading...