Hi, Can somebody explain me why the initial WS value in the SYN packet differs from the WS value of the ACK packet and whether there is a way to calculate it ? Example : 65535/1460 = 44.89 So 44 full size frame max x 1460 x 4 = 256960. Thanks, Thierry asked 01 Apr '16, 11:15  thierryn edited 01 Apr '16, 12:45  Jasper ♦♦ |
4 Answers:
in a scenario like this...: Wireshark shows us in the Info column of the Frames (1) and (2) not the calculated Window Size, like we can see it in Frame (3), because....
And the formula for the window size in the ack segment is for Wireshark info column displays answered 01 Apr '16, 11:55  Christian_R edited 01 Apr '16, 13:25 |
The scale factor is only specified in packets with a SYN flag, so the client tells it scale factor in the SYN packet, the server in the SYN/ACK packet. Scaling is only used if both offer a scale factor, otherwise it can't be used by either node. A node offering a scale factor of 1 basically says "I know how it works, but I'm not going to use it myself". A Scale factor is then used for all other packets coming from the same node. What you need to do is look at the "Window Size Value" field in the TCP layer, and multiply that with the Window Scale Multiplier in the SYN packet TCP options, in your case 4. And do that for all following packets from the client to get the actual window size. The value 256960 equals 64240*4, so I guess your ACK packet had a "Window Size Value" of 64240. answered 01 Apr '16, 12:52 Jasper ♦♦ edited 01 Apr '16, 13:10 Agree: The scale factor like 2^4 = 16 is the correct interpretation for the WS scale field in the header and the packet detail pane, if the value is 4. But Wireshark shows us the calculated decimal value, in this case the 16 in the info column. So nobody should be wondering... (01 Apr '16, 13:00) Christian_R Uh oh I think I mixed your example with the one in the question... I think I'll have to rewrite my answer (01 Apr '16, 13:03) Jasper ♦♦ Yeah it was cheeky, from me to use my own values at the first part of the answer and using the values of the question in the second the part ;) I will correct my answer, too. (01 Apr '16, 13:21) Christian_R |
Hey guys, These are the three-way handshake packets :
So Why is Win=65535 with WS=4 at the SYN packet and Win=256960 (and not 65535x4) at the ACK packet ? answered 02 Apr '16, 04:46 thierryn The window size is unique for every segment but the scale factor is advertised only in the syn segments. So for the ack you have 256960 which equals the window size of 64240 multiplied by the Ws of 4. Which we both told you. (02 Apr '16, 05:53) Christian_R |
This is the point : why 64240 x 4 and not 65535 x 4 as 65535 was initially mentioned in the SYN packet ?? Another example hereunder. There is not WS, so easier... Why a window size of 16384 in the SYN packet and then a window size of 17520 in the ACK packet ??
answered 02 Apr '16, 06:20 thierryn Because it defined so in the RFCs. Please read this http://packetbomb.com/understanding-throughput-and-tcp-windows/ (02 Apr '16, 06:34) Christian_R |
Sorry Christian, but it's not clear for me. Your calculation is wrong : 65535 * 4 is not 256960 but 262140. That's why it's not clear to me...
Ok sorry haven't calculated it, And I edited the answer. So what is the value of window size field in the packet detail pane of the ACK segment? The value should be 64.240 for 256960. Please see that there will be 2 values
window sizeandcalculated window size. As shown in my answer.