Wireshark-users: Re: [Wireshark-users] Window scaling

From: ronnie sahlberg <ronniesahlberg@xxxxxxxxx>
Date: Mon, 6 Jun 2016 09:02:12 -0700
On Mon, Jun 6, 2016 at 8:45 AM, Robert Dahlem <Robert.Dahlem@xxxxxxx> wrote:
>
>
> On 06.06.2016 17:37, ronnie sahlberg wrote:
>
>>> I do not agree with the statement that packets with the SYN bit set are
>>> never scaled.
>>
>> The standard is pretty clear for this case.
>
>> The Window field in a SYN (i.e., a <SYN> or <SYN,ACK>) segment
>> itself is never scaled.
>
> Maybe my English is not good enough for the proper definition of
> "scaled". To clarify this for me: I have a SYN/ACK packet with Window
> size 8192 and Window scale 8 (multiply by 256): is the client allowed to
> send 8192 or 2G bytes without seeing the first ACK without SYN from the
> server?
>
> Were it 8192 then the Linux kernel had been right in marking the packets
> with more than 81902 bytes in flight as invalid.

On a strict reading of the standard, it would be correct to discard
these packets as they are indeed invalid.


However, it is unadvisable to do these kind of "is within window else
discard" checks anywhere in the path.
Reason for this is that a router somewhere in the path can never
assume it will see or process every single segments,
thus the router can generally never know with certainty what the exact
state of the window should be.
Thus the router should not do these checks in the first place.


>
> Kind regards,
> Robert
> ___________________________________________________________________________
> Sent via:    Wireshark-users mailing list <wireshark-users@xxxxxxxxxxxxx>
> Archives:    https://www.wireshark.org/lists/wireshark-users
> Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
>              mailto:wireshark-users-request@xxxxxxxxxxxxx?subject=unsubscribe