This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(92.8, 92%, 18%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EHL%3C/text%3E%3C/svg%3E)
when I use log feature of windows firewall, I find that there are many log data with packet size 0 , can somebody tell me what does it means?
2020-09-07 10:42:21 ALLOW TCP ip1 ip2 63370 8080 0 - 0 0 0 - - - SEND
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(83.2, 13%, 18%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EK%3C/text%3E%3C/svg%3E)
Hello, I am scratching my head on this too, so reviving the thread. I don't know that I agree that this question was answered. The responses were either 1) its normal as it is a TCP SYN, or 2) responses that were discussing receive data entries. Received seems to capture the size correctly, but in my testing I am not getting any size for SEND messages. From online references and my own Wireshark captures, SYN = 1 when sending a SYN packet. Even if the 0 represents the SYN was sent (in my example below it would be SYN-ACK), this doesn't explain why no outbound data is registering. Loading webpages should send an HTTP GET message, and I tried uploading data as well, but nothing ever appears to calculate the size of a TCP SEND flow.
Example with tcpsyn = 0, tcpack = 0
2024-07-03 11:45:13 ALLOW TCP 192.168.1.1 207.194.175.58 6580 443 0 - 0 0 0 - - - SEND 18340In looking at my logs from today, all of my entries are TCP SEND with the 0 0 0 in the string above, and never anything else. I only see the size field populated if the packet was dropped throughout the entire log
Questions:
Thanks,
Kelly
Hi @Hongde Liu ,
size:Displays the packet size, in bytes.
tcpflags:Displays the TCP control flags found in the TCP header of an IP packet
tcpsyn:Displays the TCP sequence number in the packet.
tcpack:Displays the TCP acknowledgement number in the packet.
Since the size & syn is 0, it indicates that the source port sent an empty SYN pocket. If you want to establish an successful TCP connection, it must begin with the SYN pocket containing some data. The statetics means that it's an invalid TCP pocket.
For more details about the Tcp connection establishment and three-way handshake, please refer to
introduction-to-tcp
============================================
If the Answer is helpful, please click "Accept Answer" and upvote it.
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(252.8, 98%, 34%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EP%3C/text%3E%3C/svg%3E)
This response is incorrect. I have the same issue, logged into this server, it's moving gigs of data and yet 1-2million firewall lines a day all show 0 This is a windows or configuration issues, there is no way 2M lines of logs are all 0 packet size..... So the question still stands, what is causing this? and how do we get the logs to show actual traffic??
Hi,
In regards to your issue, may I ask that what method do you use to configure firewall logging? Through GUI or GPO?
Because with both two method, the packet size is neither 0 after my test. So with the correct configuration, the situation you described should not appear.
It is suggested that you can check the Registry key of firewall logging. Domain Profile for example:
Then you can check both Public Proflie & Standard Profile.
If the value is all good, you can close and enable the firewall logging again to check the result.
============================================
If the Answer is helpful, please click "Accept Answer" and upvote it.
Note: Please follow the steps in our documentationhttps://learn.microsoft.com/en-us/answers/articles/67444/email-notifications.html to enable e-mail notifications if you want to receive the related email notification for this thread.
Hi @Gloria Gu
Many thanks for the prompt reply.
it has no relationship with LogFileSize setting, but the "size" field within log file
https://learn.microsoft.com/en-us/previous-versions/windows/desktop/ff824015(v=vs.85)
there are many data with "0" size in log file %systemroot%\system32\LogFiles\Firewall\pfirewall.log
2020-09-07 10:42:21 ALLOW TCP ip1 ip2 63370 8080 **0** - 0 0 0 - - - SEND
hmm... my question is why there are many data log with "0" size in log file .
@Hongde Liu Hi,
Sorry for misunderstanding your meaning. After my research for related information, a "zero-length" TCP packet merely means that the party sending it had no payload to send but needed to inform the other one about something, e.g. about successful reception of data or, vice versa, about missing data which need to be retransmitted.
For more details, you can refer to:
https://osqa-ask.wireshark.org/questions/52702/why-are-0-length-tcp-packets-returned-on-some-http-tcp-sessions
Hi @Gloria Gu
2020-09-07 10:42:21 ALLOW TCP ip1 ip2 63370 8080 0 - 0 0 0 - - - SEND
the protocol is TCP , we can know the length of TCP header is more than 20
https://en.wikipedia.org/wiki/Transmission_Control_Protocol
Data offset (4 bits)
Specifies the size of the TCP header in 32-bit words. The minimum size header is 5 words and the maximum is 15 words thus giving the minimum size of 20 bytes and maximum of 60 bytes, allowing for up to 40 bytes of options in the header. This field gets its name from the fact that it is also the offset from the start of the TCP segment to the actual data.
so the "size" result should be 20-60 , but not 0 ,
and also I checked UDP/ICMP , UDP 8 , ICMPv4/v6 8
https://en.wikipedia.org/wiki/Transmission_Control_Protocol
https://en.wikipedia.org/wiki/User_Datagram_Protocol
https://en.wikipedia.org/wiki/Internet_Control_Message_Protocol
Hi @Gloria Gu
Thanks. Got it.