What does this mean in a summary of the trace file? [Window size scaling factor: -1 (unknown)] I captured it on a linux server with tcpdump and am reading the file on a Windows PC with Wireshark. asked 11 Apr '12, 18:04  godfreydanials |
One Answer:
It means that the trace file does not contain the TCP three-way handshake, so Wireshark does not know whether window scaling is in use, and if it is, what the window scaling factor is. If Wireshark sees the three-way handshake, and window scaling is used, Wireshark will know what window scaling factor is used by each side. Wireshark will then calculate the true window size for you by multiplying the value in the window size field by the appropriate multiplier. If Wireshark does not see the three-way handshake, it will simply report the value of the window size field, which may or may not be the true window size, and indicate "[window size scaling factor -1 (unknown)]" See RFC 1323 for the specification of the TCP window scale option. answered 11 Apr '12, 19:00  Jim Aragon edited 11 Apr '12, 19:16 |
