This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

[Window size scaling factor: -1 (unknown)]

0

What does this mean in a summary of the trace file? [Window size scaling factor: -1 (unknown)]

I captured it on a linux server with tcpdump and am reading the file on a Windows PC with Wireshark.

asked 11 Apr '12, 18:04

godfreydanials's gravatar image

godfreydanials
1111
accept rate: 0%


One Answer:

4

It means that the trace file does not contain the TCP three-way handshake, so Wireshark does not know whether window scaling is in use, and if it is, what the window scaling factor is. If Wireshark sees the three-way handshake, and window scaling is used, Wireshark will know what window scaling factor is used by each side. Wireshark will then calculate the true window size for you by multiplying the value in the window size field by the appropriate multiplier.

If Wireshark does not see the three-way handshake, it will simply report the value of the window size field, which may or may not be the true window size, and indicate "[window size scaling factor -1 (unknown)]"

See RFC 1323 for the specification of the TCP window scale option.

answered 11 Apr '12, 19:00

Jim%20Aragon's gravatar image

Jim Aragon
7.2k733118
accept rate: 24%

edited 11 Apr '12, 19:16