Wireshark mailing list archives
Re: TCP windows update
From: Stephen Fisher <steve () stephen-fisher com>
Date: Mon, 28 Feb 2011 10:15:20 -0700
On Mon, Feb 28, 2011 at 07:47:09PM +0900, Andrej van der Zee wrote:
I was wondering if somebody could tell me how Wireshark detects TCP window advertisements.
There have been improvements recently in Wireshark version 1.5 development builds that make it clearer what is in the packet. If you go here and download the latest development build http://www.wireshark.org/download/automated/ you can follow along. Each TCP segment has a window size, but it may be scaled by options negotiated only during the initial 3-way handshake (SYN/SYN+ACK/ACK). So if you look at a SYN+ACK segment for example, you may see that the window size value in the header is 8192 bytes, but further down in the options section, there is a window scale option of 2 shift count (which means bit shift by 2, which further means multiply by 4 any value from the packet). This was necessary because when TCP was designed, they only used a 16-bit value for the window size, which allows up to 65,535 bytes maximum as the window size. The multiplier will take that value and scale it. Another example is a TCP segment after the initial handshake that shows a packet window size value of 16695 with a multiplier negotiated earlier of 4. So the calculated window size is 66780 (16695 * 4). This scaling in Wireshark only works when Wireshark has seen the 3-way handshake, so you will see two other possible values of -1 when Wireshark doesn't know what the scaling (if any) is or -2 when no scaling was negotiated during the 3-way handshake. ___________________________________________________________________________ Sent via: Wireshark-users mailing list <wireshark-users () wireshark org> Archives: http://www.wireshark.org/lists/wireshark-users Unsubscribe: https://wireshark.org/mailman/options/wireshark-users mailto:wireshark-users-request () wireshark org?subject=unsubscribe
Current thread:
- TCP windows update Andrej van der Zee (Feb 28)
- Re: TCP windows update Stephen Fisher (Feb 28)