...So in theory the window size reported to you when you have window
scaling processing turned on is the "Real" TCP window size, and the one
reported when you have it turned off "isn't" correct, because TCP
window scaling is in effect on the connection.
On Mar 24, 2004, at 2:10 PM, Jack Jackson wrote:
At 10:35 AM 3/24/2004, Arne Sagnes wrote:
Hello everyone,
first of all I'd like to thank everyone for a great and versatile
product. Ethereal has without a doubt made my life a whole lot
easier,
and I've never had any complaints on it. :) Today, however, I noticed
something extremely strange. I was sniffing traffic on one of our
servers, and I came upon an odd discrepancy. In the section for
"Transmission Control Protocol", I saw that the "Window size" was
listed
as "66608". This was out of the ordinary, so I decided to
investigate.
What I found was the the hex value representing "66608" was actually
"8218". Now, the interesting thing is that in another conversation,
that same hex value is translated to "33304", which I believe is the
correct value.
Due to the sensitive nature of the traffic, I'm afraid I can't
include
a sample of the traffic dump itself, but I can provide a screenshot of
the window containing the packet, if anyone is interested. Has anyone
seen this behavior before, or have an explanation that I'm missing?
I've searched through the docs, man pages, FAQs and archives on
ethereal.com; I also went Googling, but I was unable to come up with
any clues. Any help would be greatly appreciated.
The window size field can be scaled (shifted) by 0 to 14 bits, to
allow for window sizes larger than can fit in 16 bits. You need to
look at the SYN handshake at the beginning of the connection to see if
the window scaling option (first byte = 3) is present.
_______________________________________________
Ethereal-users mailing list
Ethereal-users@xxxxxxxxxxxx
http://www.ethereal.com/mailman/listinfo/ethereal-users