Hello everyone,
While searching our BRO logs, I came across a few hosts giving window_recision errors. A Google search did not shed any light on this subject. What does window_recision mean?
Thanks
Shane
I think it means that a TCP shrunk its recv-window by more than the amount of data its ACKing. i.e. in https://tools.ietf.org/html/rfc793#section-3.7 :
The mechanisms provided allow a TCP to advertise a large window and to
subsequently advertise a much smaller window without having accepted
that much data. This, so called "shrinking the window," is strongly
discouraged. The robustness principle dictates that TCPs will not
shrink the window themselves, but will be prepared for such behavior
on the part of other TCPs.
- Jon
I've been curious about this myself at a few sites that see a surprisingly high number of window_recision weird. My suspicion is that it's due to some middle box on the network that is running out of buffer space. Are you monitoring at your border and do you have a border firewall?
.Seth