At 10:35 AM 3/24/2004, Arne Sagnes wrote:
Hello everyone,
first of all I'd like to thank everyone for a great and versatile
product. Ethereal has without a doubt made my life a whole lot easier,
and I've never had any complaints on it. :) Today, however, I noticed
something extremely strange. I was sniffing traffic on one of our
servers, and I came upon an odd discrepancy. In the section for
"Transmission Control Protocol", I saw that the "Window size" was listed
as "66608". This was out of the ordinary, so I decided to investigate.
What I found was the the hex value representing "66608" was actually
"8218". Now, the interesting thing is that in another conversation,
that same hex value is translated to "33304", which I believe is the
correct value.
Due to the sensitive nature of the traffic, I'm afraid I can't include
a sample of the traffic dump itself, but I can provide a screenshot of
the window containing the packet, if anyone is interested. Has anyone
seen this behavior before, or have an explanation that I'm missing?
I've searched through the docs, man pages, FAQs and archives on
ethereal.com; I also went Googling, but I was unable to come up with
any clues. Any help would be greatly appreciated.
The window size field can be scaled (shifted) by 0 to 14 bits, to allow for
window sizes larger than can fit in 16 bits. You need to look at the SYN
handshake at the beginning of the connection to see if the window scaling
option (first byte = 3) is present.