Wireshark-bugs: [Wireshark-bugs] [Bug 5541] Custom Window Size Column Shows Two Values and Doesn
Date: Mon, 3 Jan 2011 20:55:45 -0800 (PST)
https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=5541

--- Comment #7 from Jim Aragon <Jim@xxxxxxxxxxxxxxxxx> 2011-01-03 20:55:40 PST ---
(In reply to comment #5)
> I also added more details in the TCP Window Scale option output to now look
> like:
>         Window scale: 8 (multiply by 256)
>             Kind: Window Scale (3)
>             Length: 3
>             Shift count: 8
>             [Multiplier: 256]

Looks good.

> How about something like this:
> ...with scaling:
>     Window size value: 258                       <--- tcp.window_size_value
>     [Calculated window size: 66048 (scaled)]     <--- tcp.window_size
> ...without scaling:
>     Window size value: 258                       <--- tcp.window_size_value
>     [Calculated window size: 258]                <--- tcp.window_size

So if I understand this correctly, there will once again be only a single
instance of tcp.window_size and it will show the correct window size whether
scaling is used or not? Does "without scaling" include the situation where
Wireshark did not see the 3-way handshake, or does it only apply where
Wireshark saw the 3-way handshake, and scaling was not used?

Also, it appears to me that as part of these changes tcp.options.wscale_val was
renamed to tcp.options.wscale.shift. If so, that will break some existing
filters. On the web site for Laura Chappel's book, "Wireshark Network
Analysis," she has a number of sample configuration profiles available for
download. All of her configuration profiles work fine on Wireshark 1.4.2.
However, her "NMAP Detection" profile now throws the following error on
Wireshark 1.5.0-SVN-35350: "Could not compile color filter Nmap from saved
filters. Neither 'tcp.options.wscale_val' nor '10' are field or protocol
names."

Manually editing the colorfilters file to replace "tcp.options.scale_val" with
"tcp.options.wscale.shift" eliminates the error.

-- 
Configure bugmail: https://bugs.wireshark.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.