How can you detect a TCP zero window condition or zero-window probes?

TCP flow control hinges on the receiver’s advertised window: if the receiver’s buffer is full, it will advertise a window size of zero in its ACKs, telling the sender to pause until more space is available. To spot this in a trace, look for ACKs coming from the receiver that carry a Window Size of zero. When the window is zero, the sender may send zero-window probes—special small probes to check if the window has opened again and to elicit a window update. In Wireshark, this pattern appears as ACKs with zero window size and subsequent zero-window probe activity; the tool often highlights these events as zero-window conditions. This is exactly how you detect the condition and the probes that follow. The other options don’t indicate this behavior: a high MTU is unrelated to flow control, a non-zero window size means the receiver is ready to receive more data, and EDNS0 is a DNS extension, not part of TCP window management.