This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

what is ‘WS’ ‘TSval’ and ‘SACK_PERM’ mean in packet info columns???

0
1

Dear wireshark experts,

I got stuck in with some really tough questions, just as mentioned in subject. What is that???

Help!!!

8   1.253204    172.30.87.216   119.167.194.133 TCP 74  50785 > http [SYN] Seq=0 Win=5840 Len=0 MSS=1460 ***SACK_PERM=1 TSval=1575384402 TSecr=0 WS=128***

So appreciated in advance!

asked 04 Nov '11, 03:56

wenchao_wang's gravatar image

wenchao_wang
1121
accept rate: 0%

edited 04 Nov '11, 03:57

grahamb's gravatar image

grahamb ♦
19.8k330206

One Answer:

3

First of all, it is not really a tough question ;-)

What you have there is a SYN packet (which is used in the TCP handshake session setup), and in that packet optional TCP parameters are given - see RFC 1323 for more details on what and why.

  • SACK_PERM means that the node with IP 172.30.87.216 "knows" how to work with so called "Selective Acknowledgements", as described in RFC 2018.
  • It also uses TCP Timestamps (TSval/TSecr), and uses a
  • "Window Scaling of 128, which is the result of it advertising a Scale Factor of 7 (not seen in the info column, but in the decode).

All of these are so called high performance options that are now pretty common since all modern TCP stacks know about those and use them, especially in high latency high bandwidth environments (LFN).

answered 04 Nov '11, 04:10

Jasper's gravatar image

Jasper ♦♦
23.8k551284
accept rate: 18%

edited 17 Jul '12, 13:48

Guy%20Harris's gravatar image

Guy Harris ♦♦
17.4k335196