What will cause the TCP options such as scaling and SACK not to show during the handshake? Would a router or firewall do this? A message of NOP 4 NOP row a router may have removed is reported by Wireshark. asked 02 Oct '12, 15:00 ws2006 |
One Answer:
If you don't see a TCP option in the handshake packet(s), then the option wasn't there when Wireshark saw the packet. It is possible that the system sending the packet included an option and then an intermediate router, firewall, or other security device stripped out the option and replaced it with a NOP. When options are used, the TCP header is expanded in multiples of four bytes to make room for the option(s). If the options do not take all four bytes, then zeroes (NOPs) fill the unused bytes. A sending system will never put four NOPs in a row. If it had no options for that four-byte area, it simply wouldn't add the four bytes at all. As Wireshark is telling you, four NOPs in a row is a strong indication that some intermediate device has removed one or more options and substituted NOPs. answered 02 Oct '12, 18:57 Jim Aragon |
Laura Chappell suggested this feature during Sharkfest '10 and Stig Bjørlykke implemented it in r33265. Some additional information: https://www.lcuportal2.com/index.php?option=com_easyblog&view=entry&id=1&Itemid=73.
So with no options with scaling or sack, the window size advertised was 47K. I would assume performance of the application will suffer with these options removed.
SACK is always good to have, because it is usually the best way to recover from packet loss and has no known downsides if used.
Window scaling is a different cup of tea: a window too small can be bad, because you can't utilize the available bandwith if the line has high bandwitdh coming with high latency. BUT a window too big is bad, too, since it can lead to buffer overload in routers and switches, leading to packet drops and thus retransmissions.