On Mon, Feb 28, 2011 at 07:47:09PM +0900, Andrej van der Zee wrote:
> I was wondering if somebody could tell me how Wireshark detects TCP
> window advertisements.
There have been improvements recently in Wireshark version 1.5
development builds that make it clearer what is in the packet. If you
go here and download the latest development build
http://www.wireshark.org/download/automated/ you can follow along.
Each TCP segment has a window size, but it may be scaled by options
negotiated only during the initial 3-way handshake (SYN/SYN+ACK/ACK). So
if you look at a SYN+ACK segment for example, you may see that the
window size value in the header is 8192 bytes, but further down in the
options section, there is a window scale option of 2 shift count (which
means bit shift by 2, which further means multiply by 4 any value from
the packet). This was necessary because when TCP was designed, they
only used a 16-bit value for the window size, which allows up to 65,535
bytes maximum as the window size. The multiplier will take that value
and scale it.
Another example is a TCP segment after the initial handshake that shows
a packet window size value of 16695 with a multiplier negotiated earlier
of 4. So the calculated window size is 66780 (16695 * 4).
This scaling in Wireshark only works when Wireshark has seen the 3-way
handshake, so you will see two other possible values of -1 when
Wireshark doesn't know what the scaling (if any) is or -2 when no
scaling was negotiated during the 3-way handshake.
