Wireshark-users: Re: [Wireshark-users] Window scaling

From: Jim Aragon <Jim@xxxxxxxxxxxxxxxxx>
Date: Wed, 01 Jun 2016 12:01:58 -0700
At 11:26 AM 6/1/2016, Chris Maynard wrote:

>Robert Dahlem <Robert.Dahlem@...> writes:

>> But my Wireshark 1.12.8 tells me "Calculated window size: 8192" which
>> would match with the firewalls behaviour.
>>
>> Is there something wrong with the SYN/ACK packet?
>
>No, there's nothing wrong with the SYN/ACK packet, at least as far as
>I can tell.  SYN packets are never themselves scaled so Wireshark will
>always display the calculated window size the same as the window size
>value, regardless of the scaling factor.
>
>What's missing here though is the client's SYN packet showing its
>scaling factor, but I suspect that the client does not support
>scaling, which means there is no window scaling effect in either direction.

Well, we can conclude that the client does support window scaling because if the client does not announce a scale factor in its SYN packet, the server won't announce window scaling in the SYN/ACK, since there's no point to doing so. From RFC 7323: "Furthermore, the Window Scale option will be sent in a <SYN,ACK> segment only if the corresponding option was received in the initial <SYN> segment."

As Chris pointed out, packets with the SYN bit set are never scaled, so the window size value and the calculated window size are the same, but f you look farther down in the captured packets, past the SYN and SYN/ACK, you will see that the calculated window size is the number in the window size value field multiplied by the scale factor.