Ask Your Question
0

TCP traffic SYN/ACK packets that contain window scaling options

asked 2022-03-18 23:40:44 +0000

tlm gravatar image

Hello, in your opinion how can I filter TCP traffic SYN/ACK packets that does contain window scaling options?

Can I use !(window_size_scalefactor == -2)?

(tcp.flags.syn==1 && tcp.flags.ack==1) && !(tcp.window_size_scalefactor == -2)

Window size scaling factor: -1 (unknown, start of session not captured) Window size scaling factor: -2 (no window scaling used)

edit retag flag offensive close merge delete

Comments

Is Window Scale Kind 3? Can I filter TCP traffic SYN/ACK packets that does contain window scaling options this way?

tcp.option_kind == 3 && tcp.flags.syn==1 && tcp.flags.ack==1

tlm gravatar imagetlm ( 2022-03-18 23:52:59 +0000 )edit

dfilter: Add bitwise masking of bits
When complete, you could streamline the flag check into tcp.flags & 0x012 == 0x012.
I'm not sure that's easier to read but more compact.

Chuckc gravatar imageChuckc ( 2022-03-22 00:44:00 +0000 )edit

@Chuckctcp.flags&18==18 is even more compact! ;-) I'm looking forward to this filter functionality in the next (major) release!

SYN-bit gravatar imageSYN-bit ( 2022-03-24 07:18:40 +0000 )edit
add a comment

1 Answer

Sort by ยป oldest newest most voted
0

answered 2022-03-19 00:50:18 +0000

Chuckc gravatar image

Check the Display Filter Reference for TCP fields.

tcp.options.wscale.shift is the option value in the packet.
tcp.options.wscale.multiplier is the Wirehark generated value for the multiplier.

Do you want to know if the options exists:

tcp.options.wscale.shift && tcp.flags.syn==1 && tcp.flags.ack==1

Or that it affects the window size:

(tcp.options.wscale.shift > 0) && tcp.flags.syn==1 && tcp.flags.ack==1
edit flag offensive delete link more

Comments

Chuckc, I wanted know if the options exists. Thank you for confirming that.

tlm gravatar imagetlm ( 2022-03-19 02:00:21 +0000 )edit
add a comment

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Question Tools

1 follower

subscribe to rss feed

Stats

Asked: 2022-03-18 23:40:44 +0000

Seen: 409 times

Last updated: Mar 19 '22

Related questions

graph of tcp window scaling

What does a window size scaling factor of -1 mean?

what determines the final windows scaling factor?

why am i not able to see my interfaces in wireshark except USBPcaps 1,2,3? I am using windows 10 64 bit

TCP keep-alive ack and finally reset when query Database using TDS Protocol

What causes a connection reset after retransmission and TCP window update?

install tshark on windows with non admin user

How set GUI dimensions/location with "-o prefname:value"

install two wireshark through command in line silent mode

Window is huge!

Copyright Wireshark Foundation, 2017-2023 Content on this site is licensed under a Creative Commons Attribution Share Alike 3.0 license.
about | faq | help | privacy policy | terms of service
Powered by Askbot version 0.10.2