Differences between revisions 16 and 17
Revision 16 as of 2020-07-22 23:54:46
Size: 3321
Editor: ChuckCraft
Comment:
Revision 17 as of 2020-07-23 01:39:43
Size: 3610
Editor: ChuckCraft
Comment:
Deletions are marked like this. Additions are marked like this.
Line 36: Line 36:
== Example capture file ==

 [[attachment:SampleCaptures/200722_win_scale_examples_anon.pcapng]]
Line 41: Line 45:

The Scaling Factor is ONLY sent in the SYN and SYN/ACK packets at the start of a TCP connection which shows why it is important to capture the full TCP handshake for troubleshooting.

TCP Relative Sequence Numbers & TCP Window Scaling

By default Wireshark and TShark will keep track of all TCP sessions and convert all Sequence Numbers (SEQ numbers) and Acknowledge Numbers (ACK Numbers) into relative numbers. This means that instead of displaying the real/absolute SEQ and ACK numbers in the display, Wireshark will display a SEQ and ACK number relative to the first seen segment for that conversation.

This means that all SEQ and ACK numbers always start at 0 for the first packet seen in each conversation.

This makes the numbers much smaller and easier to read and compare than the real numbers which normally are initialized to randomly selected numbers in the range 0 - (2^32)-1 during the SYN phase.

This usability feature relies on features from TCP_Analyze_Sequence_Numbers so in order to use this feature you must also enable TCP_Analyze_Sequence_Numbers.

Using relative sequence numbers is a usability enhancement, making the numbers easier to read and compare. In order to compare a dissection with data from a less advanced analyzer that can not handle relative sequence numbers it might be required to temporarily disable this feature in Wireshark.

For Wireshark versions prior to 1.5: When the Relative Sequence Numbers preference is enabled Wireshark will also enable "Window Scaling".

For Wireshark 1.5 & newer: "Window Scaling" is a separate TCP preference enabled by default.

If "Window Scaling" is enabled, Wireshark will try to monitor the TCP Window Scaling option negotiated during the SYN phase and if such TCP Window Scaling has been detected, Wireshark will also scale the window field and translate it to the effective window size. This may affect what the dissected and reported window is and may make Wireshark to decode packets differently, but more accurately, than other tools.

To disable relative sequence numbers and instead display them as the real absolute numbers, go to the TCP preferences and untick the box for relative sequence numbers. tcprelativesequencenumbers.jpg

Preference String

Relative sequence numbers and window scaling.

Window Scale Factor

tcp.window_size_scalefactor - The window size scaling factor (-1 when unknown, -2 when no scaling is used)

Example capture file

TCP Stream 0 - client and server provide shift count (scale factor) in SYN and SYN/ACK TCP options.

TCP Stream 1 - not supported by both ends. No shift count in SYN/ACK from server. Set to -2 - no scaling.

TCP Stream 2 - SYN from client not captured. Wireshark sets scale factor to -1 - unknown

The Scaling Factor is ONLY sent in the SYN and SYN/ACK packets at the start of a TCP connection which shows why it is important to capture the full TCP handshake for troubleshooting.

When the Window Scale Factor is -1 (unknown) or -2 (no scaling), the Calculated Window size = the Window Size value in the TCP header.

200722_win_scale_calc.png

The -1 (unknown) scale factor can be overridden using TCP preferences.

Right click on a TCP packet in the Packet List, or in the Packet Details on the TCP section header or a TCP field.

200722_tcp_prefs_popup_sm.png

TCP Preferences are also available through Edit -> Preferences... -> Protocols -> TCP

200722_tcp_prefs.png

Packet details indicate field value supplied by TCP Preferences setting.

200722_scale_override.png

TCP_Relative_Sequence_Numbers (last edited 2020-07-23 01:39:43 by ChuckCraft)