Debugging TCP Throughput: Inspect rwnd, cwnd, and Wireshark Patterns
This article explains how to diagnose low network throughput by examining sender, receiver, and intermediate bottlenecks, understanding TCP flow and congestion windows (rwnd and cwnd), using Linux ss commands, and interpreting Wireshark visualizations to pinpoint the root cause.
When debugging network quality we usually focus on latency and throughput; latency is easy to verify with ping or mtr, while this article shares a method to debug throughput.
Throughput‑critical scenarios, often called Long Fat Networks (LFN), can be limited by three factors:
Sender‑side bottleneck
Receiver‑side bottleneck
Intermediate network bottleneck
Sender bottlenecks typically arise from insufficient buffer size: the application writes data to a kernel buffer via a syscall, and if the buffer fills, the application blocks until space is available.
Receiver bottlenecks occur when the receiver’s buffer (rwnd) is too small; TCP flow control prevents the sender from exceeding this window, and excess data is dropped.
Network bottlenecks are handled by TCP congestion control (cwnd), which limits the amount of unacknowledged data in the network.
The congestion window (cwnd) is determined by algorithms such as CUBIC or Google BBR. During slow start, cwnd doubles after successful ACKs until either a packet loss occurs or cwnd reaches rwnd.
If cwnd stops growing because packets are lost or because cwnd equals rwnd, the limitation is at the receiver side, not the network.
Viewing rwnd
The receiver window size is encoded in the TCP header; capturing the handshake packets is necessary to apply the window‑scale factor.
Viewing cwnd
cwnd is a dynamic variable on the sender and is not transmitted in packets; it must be inspected on the sending host. On Linux, ss -i prints TCP parameters, showing cwnd in units of MSS (e.g., 1460 bytes × 10).
Wireshark Analysis
Wireshark’s TCP‑trace graph visualizes one‑direction traffic. The X‑axis is time, the Y‑axis is TCP Sequence Number. Red lines indicate SACKed segments, yellow lines show ACKed segments, and blue lines represent retransmissions.
Common patterns:
Packet loss: many red SACK segments indicating missing packets.
Throughput limited by receiver window: the yellow ACK line rises until it fills the green window line.
Throughput limited by network quality: the yellow line never reaches the green window, and frequent retransmissions (blue) suggest a small cwnd due to congestion.
By interpreting these graphs you can identify whether the bottleneck lies in sender buffers, receiver buffers, or network congestion.
Signed-in readers can open the original source through BestHub's protected redirect.
This article has been distilled and summarized from source material, then republished for learning and reference. If you believe it infringes your rights, please contactand we will review it promptly.
MaGe Linux Operations
Founded in 2009, MaGe Education is a top Chinese high‑end IT training brand. Its graduates earn 12K+ RMB salaries, and the school has trained tens of thousands of students. It offers high‑pay courses in Linux cloud operations, Python full‑stack, automation, data analysis, AI, and Go high‑concurrency architecture. Thanks to quality courses and a solid reputation, it has talent partnerships with numerous internet firms.
How this landed with the community
Was this worth your time?
0 Comments
Thoughtful readers leave field notes, pushback, and hard-won operational detail here.