How to Diagnose Low TCP Throughput: Inspect rwnd, cwnd, and Wireshark Patterns

When debugging network performance, two key metrics are latency and throughput. While latency can be quickly measured with ping or mtr, assessing throughput requires understanding three possible bottlenecks: the sending side, the receiving side, or the intermediate network.

rwnd (Receiver Window) Inspection

The receiver advertises its buffer size (rwnd) during the TCP handshake via the TCP Window Scale option. To see the actual window size, capture the TCP handshake packets and multiply the advertised value by the negotiated scale factor.

cwnd (Congestion Window) Inspection

cwnd is a dynamic variable calculated by the sender’s congestion‑control algorithm (default is CUBIC, alternatives include Google’s BBR). It grows during slow start until a packet loss or the receiver’s window limit is reached.

On Linux you can display cwnd and related TCP parameters with: ss -i The output shows values in units of the TCP MSS (typically 1460 bytes). For example, a displayed value of 10 means 10 × 1460 = 14600 bytes.

Wireshark Analysis

Wireshark’s TCP‑Stream‑Graph visualises sequence numbers over time. The X‑axis is time, the Y‑axis is the TCP Sequence Number. Three lines are shown:

Red line (SACK): segments that the receiver has acknowledged as received.

Yellow line (ACK): the highest acknowledged sequence number.

Blue line: retransmitted data.

When the red and yellow lines diverge, packets were lost and need retransmission. If the yellow line stops advancing while the red line continues, the sender is limited by cwnd or network congestion.

Common Patterns Identified in Wireshark

Packet Loss

Frequent red SACK segments indicate missing packets that the receiver repeatedly reports.

Throughput Limited by Receiver Window

The yellow ACK line rises until it hits the green window‑size line, after which the sender stops sending. Increasing the receiver’s buffer can raise the throughput.

Throughput Limited by Network Quality

If the receiver window is far from full but the throughput remains low, the bottleneck is likely the network. Small cwnd values and many retransmissions suggest congestion control is restricting the flow.

References

[1] mtr – https://www.kawabangga.com/posts/4275

[2] RFC 7323 – https://datatracker.ietf.org/doc/html/rfc7323

[3] BBR – https://www.kawabangga.com/posts/4086

[4] TCP Window Scale – https://en.wikipedia.org/wiki/TCP_window_scale_option

[5] TCP MSS – https://www.cloudflare.com/learning/network-layer/what-is-mss/

[6] spate – https://github.com/royzhr/spate