That makes sense for ordinary tcp since the window size is undefined
during the initial syn.
I have checked in a change to wireshark so it does not show the window
size for the initial syn packet.
There is an exception for the
old/obsolete/abandoned/genuinely-bad-idea varient called T-TCP
where the window size during the syn phase did have a semantic meaning.
Fortunately no one is using t-tcp any more and if someone does, they shouldnt.
regards
ronnie sahlberg
On Tue, Nov 17, 2009 at 6:50 AM, Ed Franks <ewf@xxxxxxxxx> wrote:
> I'm a developer for a TCP/IP stack. I have been getting customer complaints
> about setting an initial window size of 0. When I explain that we don't do
> this, they reply "Wireshark says you do."
>
> After examining several Wireshark traces, I see that the display for the
> initial SYN packet does, indeed, show a value for "window" (sometimes 0,
> sometimes other values). The value obviously comes from the window field
> of the TCP header.
>
> However, "window" is always relative to "ACK", and ACK is never present
> in the initial SYN.
>
> Might it be possible to either omit the "window" value when it is undefined
> or at least show it as "???". This would be true only for the initial SYN.
>
> If anyone knows why a stack would set the SYN packet window field to non-zero
> (and what it would mean), I would appreciate a pointer to the relevant RFC.
>
> BTW, you provide an excellent product. It has more than once re-directed the
> "smoking gun" from my software to a failing network device.
> ___________________________________________________________________________
> Sent via: Wireshark-dev mailing list <wireshark-dev@xxxxxxxxxxxxx>
> Archives: http://www.wireshark.org/lists/wireshark-dev
> Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev
> mailto:wireshark-dev-request@xxxxxxxxxxxxx?subject=unsubscribe
>