On 5/28/12, Stuart Kendrick <skendric@xxxxxxxxx> wrote:
> How does this field work?
>
> [...]
> Window size value: 5792
> [Calculated window size: 5792]
> [...]
> Window scale: 7 (multiply by 128)
> Kind: Window Scale (3)
> Length: 3
> Shift count: 7
> [Multiplier: 128]
> [...]
> 0030 16 a0 ....
> 0040 1e 34 a8 76 1f 26 01 03 03 07
>
> In the hex decode, I see 0x16a0 at offset 0x0030, which converts neatly
> to TCP Window Size 5792 (in decimal). Fine. In the hex decode, I see
> '03 03 07' at the end of the TCP Frame ... which translates into Window
> Scale 3, Length 3, Shift Count 7. Fine.
>
> But I would expect Calculated window size to read 741,376 (i.e. 128 *
> 5792). i.e. I think actual TCP Window Size is ~740K ... not ~6K.
>
> Wireshark 1.7.1 (SVN Rev 41970)
>
> What am I misunderstanding?
RFC 1323 section 2.2
The Window field in a SYN (i.e., a <SYN> or <SYN,ACK>) segment
itself is never scaled.
Regards,
Lee