Wireshark · Wireshark-dev: [Wireshark-dev] Erroneous data in TCP display

Wireshark-dev: [Wireshark-dev] Erroneous data in TCP display

From: Ed Franks <ewf@xxxxxxxxx>

Date: Mon, 16 Nov 2009 14:50:47 -0500

I'm a developer for a TCP/IP stack.  I have been getting customer complaints
about setting an initial window size of 0.  When I explain that we don't do
this, they reply "Wireshark says you do."

After examining several Wireshark traces, I see that the display for the
initial SYN packet does, indeed, show a value for "window" (sometimes 0,

sometimes other values). The value obviously comes from the window fieldof the TCP header.


However, "window" is always relative to "ACK", and ACK is never present
in the initial SYN.

Might it be possible to either omit the "window" value when it is undefined
or at least show it as "???".  This would be true only for the initial SYN.

If anyone knows why a stack would set the SYN packet window field to non-zero
(and what it would mean), I would appreciate a pointer to the relevant RFC.

BTW, you provide an excellent product.  It has more than once re-directed the
"smoking gun" from my software to a failing network device.

Follow-Ups:
- Re: [Wireshark-dev] Erroneous data in TCP display
  - From: ronnie sahlberg

Prev by Date: [Wireshark-dev] buildbot failure in Wireshark (development) on Windows-XP-Win64
Next by Date: [Wireshark-dev] buildbot failure in Wireshark (development) on Windows-XP-x86
Previous by thread: Re: [Wireshark-dev] Hi all
Next by thread: Re: [Wireshark-dev] Erroneous data in TCP display
Index(es):
- Date
- Thread