Strange TCP Sender Behaviour

Windows XP Service Pack 2

During validation of simulation and other testing on the Wand Emulation Network we have found some interesting results and strange behaviour from TCP implementations. The following images are generated by tcptrace. Refer to tcptrace's website for details on what the graphs mean.

Windows XP: Broken TCP Sending

Zoomed in further on the offending packets - zoomed out to show slow start - large view using Linux as the receiver - it also happens when SACK is turned off - PCAP trace when SACK is turned off

There is a shot of viewing a trace recorded at the sender machine, a Windows XP Service Pack 2 box. This shows the machine sending packets outside the receivers advertised window. This has been recorded against multiple receiver stacks; this example uses FreeBSD 5.3, we've seen the same to other Windows, Linux, and OpenBSD boxes.

Though the images here show it happening during the first section of congestion encountered in slow start, this phenomena has also been observed later in the connection, though to a lesser degree.

No window scaling is offered; the above is not a problem with tcptrace, as evidenced by the following. Note that the trace extracts presented below correspond to the downloadable trace above which has SACK turned off.


09:31:24.744863 10.0.15.15.1613 > 10.0.11.19.5001: S [tcp sum ok] 1105497301:110
5497301(0) win 65535 <mss 1460,nop,nop,sackOK> (DF) (ttl 128, id 8082, len 48)
09:31:24.846060 10.0.11.19.5001 > 10.0.15.15.1613: S [tcp sum ok] 1688085373:168
8085373(0) ack 1105497302 win 65535 <mss 1460> (DF) (ttl 62, id 18002, len 44)

The above output is from tcpdump showing the SYN and SYN ACK packets of the connection. The erroneous packets are shown in the output below:


09:31:25.898872 10.0.11.19.5001 > 10.0.15.15.1613: . [tcp sum ok] ack 108065 win
 65535 (DF) (ttl 62, id 18051, len 40)
09:31:25.898901 10.0.15.15.1613 > 10.0.11.19.5001: . 176685:178145(1460) ack 1 w
in 65535 (DF) (ttl 128, id 8227, len 1500)
09:31:25.904871 10.0.11.19.5001 > 10.0.15.15.1613: . [tcp sum ok] ack 108065 win
 65535 (DF) (ttl 62, id 18052, len 40)
09:31:25.904899 10.0.15.15.1613 > 10.0.11.19.5001: . 178145:179605(1460) ack 1 w
in 65535 (DF) (ttl 128, id 8228, len 1500)

The graph makes the problem much more obvious. The data packets above have sequence numbers greater than the ACK number plus the window size, indicating packets being sent outside the receivers advertised window.

Next: FreeBSD 5.3 SACK