Hello everyone,

While searching our BRO logs, I came across a few hosts giving window_recision errors. A Google search did not shed any light on this subject. What does window_recision mean?


I think it means that a TCP shrunk its recv-window by more than the amount of data its ACKing. i.e. in :

  The mechanisms provided allow a TCP to advertise a large window and to
  subsequently advertise a much smaller window without having accepted
  that much data. This, so called "shrinking the window," is strongly
  discouraged. The robustness principle dictates that TCPs will not
  shrink the window themselves, but will be prepared for such behavior
  on the part of other TCPs.

- Jon

I've been curious about this myself at a few sites that see a surprisingly high number of window_recision weird. My suspicion is that it's due to some middle box on the network that is running out of buffer space. Are you monitoring at your border and do you have a border firewall?