Wireshark mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Erroneous data in TCP display

From: ronnie sahlberg <ronniesahlberg () gmail com>
Date: Tue, 17 Nov 2009 08:30:13 +1100
That makes sense for ordinary tcp since the window size is undefined
during the initial syn.

I have checked in a change to wireshark so it does not show the window
size for the initial syn packet.


There is an exception for the
old/obsolete/abandoned/genuinely-bad-idea varient called T-TCP
where the window size during the syn phase did have a semantic meaning.
Fortunately no one is using t-tcp any more and if someone does, they shouldnt.


regards
ronnie sahlberg


On Tue, Nov 17, 2009 at 6:50 AM, Ed Franks <ewf () e-vse com> wrote:

I'm a developer for a TCP/IP stack.  I have been getting customer complaints
about setting an initial window size of 0.  When I explain that we don't do
this, they reply "Wireshark says you do."

After examining several Wireshark traces, I see that the display for the
initial SYN packet does, indeed, show a value for "window" (sometimes 0,
sometimes other values).  The value obviously comes from the window field
of the TCP header.

However, "window" is always relative to "ACK", and ACK is never present
in the initial SYN.

Might it be possible to either omit the "window" value when it is undefined
or at least show it as "???".  This would be true only for the initial SYN.

If anyone knows why a stack would set the SYN packet window field to non-zero
(and what it would mean), I would appreciate a pointer to the relevant RFC.

BTW, you provide an excellent product.  It has more than once re-directed the
"smoking gun" from my software to a failing network device.
___________________________________________________________________________
Sent via:    Wireshark-dev mailing list <wireshark-dev () wireshark org>
Archives:    http://www.wireshark.org/lists/wireshark-dev
Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev
            mailto:wireshark-dev-request () wireshark org?subject=unsubscribe


___________________________________________________________________________
Sent via:    Wireshark-dev mailing list <wireshark-dev () wireshark org>
Archives:    http://www.wireshark.org/lists/wireshark-dev
Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev
             mailto:wireshark-dev-request () wireshark org?subject=unsubscribe
Previous By Date Next
Previous By Thread Next

Current thread: