Olivier,
thanks for the quick response. You seem to have hit the nail right on
the head, as turning off the "TCP Window Scaling" option in the Ethereal
GUI actually fixed it. Just out of curiosity, can you explain what the
nature of this option really is? I can't seem to find any good
documentation on the site that describes this one. Anyways, thanks for
straightening that out for me. Now Ethereal makes sense again. :)
Arne
On Wed, 2004-03-24 at 13:42, Biot Olivier wrote:
> Hi Arne,
>
> Is the "TCP Window Scaling" option used in your capture? This may
> explain
> why the window *seems* to be incorrectly computed. Ohterwise it really
> *is*
> a bug :)
>
> Regards,
>
> Olivier
>
> |-----Original Message-----
> |From: Arne Sagnes
> |
> | Quick addendum: I forgot to mention that upon reviewing the packets
> |with tcpdump, the window size is calculated correctly. I also tried
> |downloading the latest version of Ethereal from the site, but
> |the window
> |size remains incorrect. Thanks.
> |
> |Arne
> |
> |On Wed, 2004-03-24 at 13:35, Arne Sagnes wrote:
> |> Hello everyone,
> |> first of all I'd like to thank everyone for a great and versatile
> |> product. Ethereal has without a doubt made my life a whole
> |lot easier,
> |> and I've never had any complaints on it. :) Today, however,
> |I noticed
> |> something extremely strange. I was sniffing traffic on one of our
> |> servers, and I came upon an odd discrepancy. In the section for
> |> "Transmission Control Protocol", I saw that the "Window
> |size" was listed
> |> as "66608". This was out of the ordinary, so I decided to
> |investigate.
> |> What I found was the the hex value representing "66608" was actually
> |> "8218". Now, the interesting thing is that in another conversation,
> |> that same hex value is translated to "33304", which I believe is the
> |> correct value.
> |> Due to the sensitive nature of the traffic, I'm afraid I
> |can't include
> |> a sample of the traffic dump itself, but I can provide a
> |screenshot of
> |> the window containing the packet, if anyone is interested.
> |Has anyone
> |> seen this behavior before, or have an explanation that I'm missing?
> |> I've searched through the docs, man pages, FAQs and archives on
> |> ethereal.com; I also went Googling, but I was unable to come up with
> |> any clues. Any help would be greatly appreciated.
> |>
> |> Arne
> |--
> |Arne Sagnes - Email: asagnes@xxxxxxxxxxx
> |Work: +1 440 949 8225 - Cell: +1 216 577 2319
> |Be careful of reading health books, you might die of a misprint.
> |
> |
> |
> |_______________________________________________
> |Ethereal-users mailing list
> |Ethereal-users@xxxxxxxxxxxx
> |http://www.ethereal.com/mailman/listinfo/ethereal-users
> |
--
Arne Sagnes - Email: asagnes@xxxxxxxxxxx
Work: +1 440 949 8225 - Cell: +1 216 577 2319
Be careful of reading health books, you might die of a misprint.
