This is our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

What will cause the TCP options such as scaling and SACK not to show during the handshake? Would a router or firewall do this? A message of NOP 4 NOP row a router may have removed is reported by Wireshark.

asked 02 Oct '12, 15:00

ws2006's gravatar image

ws2006
1121214
accept rate: 0%


If you don't see a TCP option in the handshake packet(s), then the option wasn't there when Wireshark saw the packet. It is possible that the system sending the packet included an option and then an intermediate router, firewall, or other security device stripped out the option and replaced it with a NOP.

When options are used, the TCP header is expanded in multiples of four bytes to make room for the option(s). If the options do not take all four bytes, then zeroes (NOPs) fill the unused bytes. A sending system will never put four NOPs in a row. If it had no options for that four-byte area, it simply wouldn't add the four bytes at all. As Wireshark is telling you, four NOPs in a row is a strong indication that some intermediate device has removed one or more options and substituted NOPs.

permanent link

answered 02 Oct '12, 18:57

Jim%20Aragon's gravatar image

Jim Aragon
7.2k733118
accept rate: 24%

1

Laura Chappell suggested this feature during Sharkfest '10 and Stig Bjørlykke implemented it in r33265. Some additional information: https://www.lcuportal2.com/index.php?option=com_easyblog&view=entry&id=1&Itemid=73.

(02 Oct '12, 19:27) cmaynard ♦♦

So with no options with scaling or sack, the window size advertised was 47K. I would assume performance of the application will suffer with these options removed.

(06 Oct '12, 18:12) ws2006

SACK is always good to have, because it is usually the best way to recover from packet loss and has no known downsides if used.

Window scaling is a different cup of tea: a window too small can be bad, because you can't utilize the available bandwith if the line has high bandwitdh coming with high latency. BUT a window too big is bad, too, since it can lead to buffer overload in routers and switches, leading to packet drops and thus retransmissions.

(07 Oct '12, 09:33) Jasper ♦♦
Your answer
toggle preview

Follow this question

By Email:

Once you sign in you will be able to subscribe for any updates here

By RSS:

Answers

Answers and Comments

Markdown Basics

  • *italic* or _italic_
  • **bold** or __bold__
  • link:[text](http://url.com/ "title")
  • image?![alt text](/path/img.jpg "title")
  • numbered list: 1. Foo 2. Bar
  • to add a line break simply add two spaces to where you would like the new line to be.
  • basic HTML tags are also supported

Question tags:

×8

question asked: 02 Oct '12, 15:00

question was seen: 13,605 times

last updated: 07 Oct '12, 14:34

p​o​w​e​r​e​d by O​S​Q​A