Wireshark-bugs: [Wireshark-bugs] [Bug 2378] New: Window scaling bug
Date: Thu, 20 Mar 2008 03:02:07 +0000 (GMT)
http://bugs.wireshark.org/bugzilla/show_bug.cgi?id=2378

           Summary: Window scaling bug
           Product: Wireshark
           Version: 0.99.8
          Platform: PC
        OS/Version: Windows XP
            Status: NEW
          Severity: Normal
          Priority: Medium
         Component: Wireshark
        AssignedTo: wireshark-bugs@xxxxxxxxxxxxx
        ReportedBy: ramin@xxxxxxxxx


Build Information:
Version 0.99.8 (SVN Rev 24492)

Copyright 1998-2008 Gerald Combs <gerald@xxxxxxxxxxxxx> and contributors.
This is free software; see the source for copying conditions. There is NO
warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.

Compiled with GTK+ 2.12.8, with GLib 2.14.6, with WinPcap (version unknown),
with libz 1.2.3, with libpcre 7.0, with SMI 0.4.5, with ADNS, with Lua 5.1,
with
GnuTLS 1.6.1, with Gcrypt 1.2.3, with MIT Kerberos, with PortAudio V19-devel,
with AirPcap.

Running on Windows XP Service Pack 2, build 2600, with WinPcap version 4.0.2
(packet.dll version 4.0.0.1040), based on libpcap version 0.9.5, without
AirPcap.

Built using Microsoft Visual C++ 6.0 build 8804
--
My understanding of window scaling is that if ‘A’ says WS=x and ‘B’
says WS=y (in TCP  SYN and SYN ACK), then the advertised window by ‘A’
would be multiplied by 2^x and advertised window by ‘B’ would be multiplied
by 2^y (x or y can be zero).

Excerpt from RFC1323:
*    Upon receiving a SYN segment with a Window Scale option
           containing shift.cnt = S, a TCP sets Snd.Wind.Scale to S and
           sets Rcv.Wind.Scale to R; otherwise, it sets both
           Snd.Wind.Scale and Rcv.Wind.Scale to zero.

Based on the above, I would have expected that the advertised window size for
ACKs sent from 10.53.40.213 to be ~256kB, but at least wireshark thinks that it
is ~64kB (see figure below).  Wireshark scales the window in cases that both
the client and the server propose non-zero window scale.  Is this a wireshark
bug?  I’m using the latest version.

Apply the following filter and observe that Wireshark does not do Window
scaling properly.

(ip.addr eq 10.53.40.213 and ip.addr eq 10.52.0.12) and (tcp.port eq 1048 and
tcp.port eq 58978)

If you save the first 900 packets and then open the shortened file using WS,
then WS does window scaling correctly.


-- 
Configure bugmail: http://bugs.wireshark.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.