A typical TCP conversation starts with a TCP three-way handshake (3WHS). This involves the exchange of SYN, SYN/ACK and ACK packets between the nodes.
In the Wireshark capture I often wish to follow a TCP conversation from the very first packet to the last. Wireshark 1.6.0 and above has a display filter which will display all the TCP sessions what have their 3WHS in the tracefile.
The values and their meaning of window_size_scalefactor are as follows:
-1 : No three-way handshake has observed and unsure whether the window scaling is used or not.
-2 : No window scaling is negotiated between the nodes.
0 or more : Window scaling is negotiated and this is the announced window scaling factor for this flow.
tcp.window_size_scalefactor!=-1 would list all the conversations for which 3WHS was observed. Note that this display filter won’t display the SYN packet or the SYN/ACK. It displays all the packets following the 3WHS. To display the conversations along with the SYN,SYN/ACK you can do either of these two things:
- Right click on the packet of interest and choose the Follow TCP Stream option from the context menu.
- Logical OR the display filter with tcp.flags.syn==1.
tcp.window_size_scalefactor!=-1 or tcp.flags.syn==1