Capture Zero Windows to PCAP

Here is a sample trigger to capture Zero Window events to PCAP for further analysis.

(Aside: This is more an exercise in using ExtraHop’s Precision Packet Capture feature. Reading Zero Window advertisements in a trace isn’t fun. With ExtraHop it’s dead bang easy.)

Thanks Gumby - - Even two years later - I find this useful. I have some applications that I’ve noticed appear to have a lot zero window events. I did this to capture some Flows with zero window signals.

I looked at the flow zerownd1/2 for values greater than 10. I had lots of traces to do analysis on.
Using a wireshark display filter zerowindow or Window size Update so that I could find those events and then see how long the window was left at zero. When the trace had just a few - the recovery time was in the 20-30 ms ranges. When the trace had a lot of events then the recovery time was more like 100-200 ms. Thus the impact was worse the more it happened. This is going through an F5. I suspect the F5 has some issues but that is another story.

Another happy Extrahop user.

Henry Steinhauer