Wireshark-users: Re: [Wireshark-users] Intermittant Machine Lockup through proxy to Internet
From: Sake Blok <sake@xxxxxxxxxx>
Date: Sun, 15 Nov 2009 09:55:16 +0100
On Fri, Nov 13, 2009 at 07:59:57PM -0500, Sheahan, John wrote:
> 
> If you look at just the conversation on port 4918, everything appears 
> to be going along fine until for some reason, the client (76.11) 
> reports a "TCP Zero Window" and then 11 seconds go by before the 
> client resets the connection..not sure what would cause this.did 
> the client run out of resources?

Starting at frame 187, the window size in the ACKs from the client start
decreasing. This means that at the client side the data is received
properly by the TCP/IP stack, but the application is not pulling the
data from the receive buffers quickly enough to deplete them. 
By the rate at which the window size is decreasing you can
see that actually no data at all is pulled from the buffer (because the
window size decreases with exactly the amount of data that has been
sent). When the window size is zero, the receive buffer is full and no
more data can be send by the server.

This does not tell us why the webbrowser does not pull data from the
buffer, but it does tell you that the problem lies on the client PC. 

The TCP-RST is caused by the user as it is going to another URL. The
browser now closes all open connections and opens connections to the new
site. Since the browser seems to be capable of retrieving the new site
in a quickly manner, my guess would be that some firewall/virus-scanning
software is actually choking on www.priceline.com.

>  Then the client goes to Google and gets some data but the next 
> two GETS return "HTTP 204 No Content".

No problem... especially since one request has an URL that seems to
explicitly request the 204.

> The client then tries to go to yahoo.com, gets redirected (packet 449) 
> and appears to pull down quite a bit of data but when I look at the 
> HTML data in packet 611, there is only one line of text.

Where do you see only 1 line of text, if you expand the "Line-based text
data" item, you can see the whole page.

> In packet 781, the client tries to go to cnn.com and gets an 
> "HTTP 304 Not Modified" then the client FINs out the connection.

Have a look at the HTTP headers, in the request there is the line
"If-Modified-Since: Wed, 28 Oct 2009 14:26:23 GMT\r\n", this means that
the browser has a local copy in cache and is asking, only sent me the
object if it is newer that my version. Which it is not, so the server
tells the browser to use it's local copy and save bandwidth and delay.

> What I do notice though is that all HTTP GETS are sent from the client 
> using HTTP 1.1 and the proxy always answers back with HTTP 1.0 
> responses.could this be the problem?

Nope, this is allowed and is not the source of your problem.

So, the only problem in the trace is the fact that the client is not
pulling data from the receive buffer for some unknown reason.

I would suggest reading some more about TCP and HTTP, it will give you
some understanding of what you see in the traces. Some starting points
might be the RFC's:

RFC793  - Transmission Control Protocol
RFC1945 - Hypertext Transfer Protocol -- HTTP/1.0
RFC2616 - Hypertext Transfer Protocol -- HTTP/1.1

(see: http://www.faqs.org/faqs/)

Hope this helps,
Cheers,


Sake