Wireshark and Tcpdump -R: Strange Tcp Window Sizes

wireshark and tcpdump -r: strange tcp window sizes

The window sizes are correct - they're just unscaled.

The connection initiator has set a wscale (window scaling factor) of 7, so its subsequent win values must be multiplied by 128 to get the window size in bytes. Thus the win 46 indicates a window of 5888 bytes.

The connection recipient has set a wscale of 6, so its win values must be multiplied by 64. Thus win 133 indicates a window of 8512 bytes, and win 178 indicates 11392 bytes.

tcpdump/wireshark disconnect

Finally after 5 month I found how to fix this issues.
I just have to update my network card drivers (in my case, iwlwifi)

tcpdump and wireshark: Show timestamp

You can use a display filter to filter on time range.

For example:

(frame.time >= "Mar 18, 2015 20:38:04.705104000") && (frame.time <= "Mar 18, 2015 20:38:06.415883000")

Useful link:

WiresharK Wiki



Related Topics



Leave a reply



Submit