This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Looking for a little help

0

I'm using a couple of Color Rules that were given to me during a WireShark class with Laura Chappell. The color rule that this network is hitting is as follows: (tcp.window_size < 1460) && (tcp.flags.reset == 0)

I know that this is a color rule to find Windows Zero Errors and Window Size under 1460. The question: Is this rule correct or is there a better rule? Since it isn't exactly a Window Zero error should I worry about it? I've attached a screen shot of my Wireshark. Orange is the Color Rule above.

Thanks

alt text

asked 11 Oct '12, 12:37

q2srw77's gravatar image

q2srw77
1112
accept rate: 0%

edited 11 Oct '12, 12:39


2 Answers:

0

I have a similar coloring rule, but mine does consider the possibility that Wireshark hasn't seen the Three Way Handshake and thus doesn't know about the scaling factor:

(tcp.window_size < 1460) and not (tcp.flags.reset==1 or tcp.window_size_scalefactor == -1)

answered 11 Oct '12, 13:24

Jasper's gravatar image

Jasper ♦♦
23.8k551284
accept rate: 18%

0

Your coloring rule only shows frames with a window size under 1460 and TCP packets that do not have the RESET flag set. Jasper's reduces false positives further by taking the scale factor out of the equation. You could have a window size of less than 1460 and still not have a full window (yours are between 251 and 256).

You can use Wireshark's built-in analysis to write a coloring rule for zero window packets: tcp.analysis.zero_window

That will get you zero window packets while excluding small windows.

-Greg

answered 17 Oct '12, 11:35

thechaosmachine's gravatar image

thechaosmachine
0112
accept rate: 0%