[Snort-users] Huge ACK's - somewhat off topic

Deterding, Brent D. DeterdingB at ...908...
Thu Nov 30 21:18:44 EST 2000


Heya,
	Not the perfect place for this question probably, but the best place
I know of. I'm on a DSL line and bandwidth is a big deal. On this prticular
network (fraternity house) there's a mix of Windows and 2 linux boxes. The
Windows boxen seem to send a full packet for ACKs. DSL seems to impose a
small window size as well, btw. This is what I see on file transfers:

Windows box
	receive two packets - total length in IP header= 1500 - total
capture length = 1514 - Window size = 32120
	send an ack - total length in IP header= 40 - total capture length=
1514 - Window size = 8760
	repeat

Linux box
	receive two packets- total length in IP header= 1500 - total capture
length = 1514 - Window size = 65160
	send an ack - total length in IP header= 52 - total capture length =
66 - Window size = 31856
	repeat

The problem: Windows boxes transmit half as much as they receive. When you
have a 128 kbit pipe up and a 768 kbit pipe down this can be a problem!
ALSO, sometimes the windows box sees two packets before sending an ack, but
half the time it's only one packet. What gives?

Any ideas? thanks!

-- Brent



More information about the Snort-users mailing list