TCP Window Size – Quick Primer

The TCP window size is basically the method employed by the receiving client/host to inform the sender, what the current buffer size should be for all the data within that connection.  It’s a flow control system which ensure that the receiving host doesn’t get overloaded with data, it’s very important that this is a dynamic figure which allows for various receive rates based on all sorts of outside factors such as network speed.   For example the windows size will become much smaller when data has been received but not yet processed by the receiving host.  If the buffer become full perhaps communicating with a fast VPN system, then the window will be set at zero, which informs the sender to temporarily stop transmitting data packets.  When some of the data is processed and there is some room in the buffer then the receiving device will send a windows size update to resume the flow of data.

From this explanation we can see that most of the control of the TCP window size is controlled by the receiving host, this allows control of the TCP session and prevent the client becoming overloaded.  It’s worth bearing this in mind because it’s probably a natural to assume that the data flow is controlled by  the device sending, not the device receiving.  In much networking analysis this principle holds which when you think about is entirely logical to ensure that both devices operate withing their own operational limits.



The TCP Window size is of course of special interest to hackers, security and intrusion detection analysts as it does give some very useful information about the client you are talking too.  For instance if you use tools like Nmap, you can by firing data packets at an unknown system, fingerprint and identify the operating system by analyzing the response and how the TCP windows size is set.  For example most Windows systems have initially defined default TCP Packet receives sizes set in the registry which will not normally change under normal circumstances.  For Nmap and other fingerprinting tools, the TCP Window size is a useful way of identifying a client operating system with minimal interaction with the system.  Some of the best VPN software also allows you to control the flow of data in order to manipulate and identify clients using the TCP Windows size.

It’s other useful attribute for security specialists is such as in the use of Honey pots and IDS systems like Snort and La Brea.  La Brea can effectively slow down a connection from an attacker by modifying the TCP Windows size, in many ways it can thwart and attack or at least make it a much more time consuming and cumbersome task.